If you've been in the security sector for any length of time, you've come across bugs in products. And if you're like me, you've encountered some significant flaws in widely used commercial products.
One is then forced to wonder how the heck the code tree is controlled at these places, especially since most of these problems seem to reappear after new releases. No matter, you are excited at the prospect of reporting your findings so you gear up to prepare a report. Because you are honest and you'd hate to see your organization or anyone else fall victim to an exploit, you go through the normal process, careful to operate within the fine lines that etiquette dictates.
But wait, something is wrong.
The vendor isn't reacting the way you had expected. Incredibly, the company never responds. Puzzled, you try again and again. Finally you receive a notice that states your findings are not a problem, rather, the product works as designed. Furious, you release your findings to any and all of the popular bug tracking mailing lists.
Forty-eight hours later, the very same company releases a critical update to their product with zero mention of you.
Sound familiar? Of course it does.
This hypothetical scenario has turned many a mild mannered security researcher into a salty, cussing buccaneer. Wouldn't it be nice if you could actually get some kind of recognition for your efforts? Even better, how about a cash reward?
Fresh Exploits, Get Yer Exploits Here!
Today, that pipe dream has become reality thanks to the folks at Switzerland-based WabiSabiLabi (WSLabi). In the spirit of Ebay, you can now go to their site, create an account and buy and sell exploits. Of course you'll have to go through a vetting process, which requires you to submit a copy of your ID before you can complete an auction. But hey, if you have eight bucks, you can be anyone you like. Perfect!
For the legitimate researcher, this may break open a new revenue stream while at the same time, open a fast track of attack vectors via a supermarket of exploit code available to crime groups and various other shady individuals. Most security experts agree that this new auction approach to exploit code is dangerous. Many of the experts I've spoken to believe that the site will do nothing more than provide a way for extortionists to make money.
"In any other venue, people would be up in arms over this." said one computer security professional. "We know that most legitimate security researchers do not do it for the money while we also know that most criminal researchers are out looking for a payday. This site provides yet another revenue stream for criminals."
Even with all of the press on WSLabi, right now there are only four live auctions on the site with one bid on a kernel exploit. The amount of that bid is 550 Euros which is just a touch over $750.
WSLabi states, "Both researchers and buyers will have to identify themselves to WSLabi to ensure they are legitimate. Researchers cannot submit security research material which comes from an illegal source or activity. Buyers will also be carefully vetted before being granted access to the auction platform so that the risk of selling the right stuff to the wrong people is minimized."
One has to ask, "How will you know if research material comes from an illegal source or activity?"
Unlike tangible goods that have serial numbers, research materials are next to impossible to validate. Interestingly, the only mention of validation is how WSLabi will make sure that the proof-of-concepts actually work. "WSLabi will then verify the research by analyzing and replicating it at their independent testing laboratories. They will eventually then package the findings with a Proof of Concept; this can then be sold to the marketplace via three methods from the marketplace platform..."
So there you have it folks. It remains to be seen if this new marketplace will actually take off but one thing is for sure, even if this venture fails, the black market for exploits is still teeming with life.
If you can't sell your exploits at WSLabi or any other venue of the like, there is no shortage of shady characters willing to lay down cash for your discoveries. And this will not change anytime soon.
Article courtesy of Enterprise IT Planet