A Swiss startup called WabiSabiLabi is selling malware online, but to qualified buyers only.
This week the company has launched a security vulnerability marketplace, where details on unpatched software flaws can be bought and sold. By last night, the site was offering details on four bugs in products such as the Linux kernel and Yahoo Messenger. No bids had yet been registered, and asking prices for the research ranged between €500 (£337.90) and €2,000..
WabiSabiLabi argues that the computer industry's ethical disclosure policies have led to a raw deal for security researchers, who typically are not paid for disclosing vulnerabilities. "Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy," the WabiSabiLabi website states.
The company bills its marketplace as a way for "security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals".
But to David Perry at Trend Micro, it looks like something else. "It's going to be eBay for vulnerabilities," he said.
Although WabiSabiLabi says it will sell details only to legitimate buyers, Perry is concerned that the site could be used to put dangerous information into the hands of criminals. "We're looking at the potential of cyber warfare coming up," said Perry, who is Trend Micro's global director of education. "Now we're going to peddle vulnerabilities in a winner-takes-all auction. How do we know who's good and who's bad when we do this?"
Security researcher Cesar Cerrudo said that while it's uncommon for researchers to go underground to sell their vulnerabilities, it does happen. "Researchers will try to get money in the easier and faster way, and sometimes that can only be done in the black market," said Cerrudo, chief executive of Argeniss Information Security.
WabiSabiLabi is run by Herman Zampariolo, formerly chief executive of Italian networking vendor iLight. It lists Roberto Preatoni, founder of the Zone-h.org cyber-defacement website, as its strategic director.
Like eBay, WabiSabiLabi offers sellers a variety of options. Research can be offered at a fixed price, sold at auction, or sold to a number of different buyers in what is known as a Dutch auction.
WabiSabiLabi will test the research to make sure the vulnerabilities operate as advertised, and the company will also vouch for the sellers and buyers, who can remain anonymous and trade under nicknames.
Companies such as 3Com's Tipping Point division and VeriSign's iDefence Labs have offered cash for this type of research before, but this is the first time that such an open marketplace has been created, Perry said.
Argeniss's Cerrudo doesn't share Perry's fear of the vulnerabilities being misused. "This is already happening in the underground," he said, "but with a public service like this, I think things are a little clearer."