Software Vulnerability Auction Stokes Researchers
Last week, a number of news outlets spotlighted a Swiss Internet start-up -- curiously named "WabiSabiLabii" (pronounced "wobby-sobby-lobby") -- that is trying to establish an eBay-style auction site for software security vulnerabilities. I held off in covering this important story because I wanted to gauge the level of interest from members of the security research community. Today, washingtonpost.com ran a story I wrote that presents some of their reactions to the new service.
Some recent news, incorporated into the story, shows that some in the research community already are injecting some creative disruption into the nascent marketplace:
"Ironically, one inherent threat to each seller and to the auction house itself is the information contained in WabiSabiLabi's listings. Within hours of posting basic details about the four flaws on its auctions page, hackers on two different security research forums claimed to have located two of the vulnerabilities up for auction, posting computer code to back up their claims.
"[WSLabi CEO] Zampariolo confirmed that one of the vulnerabilities publicly reported by researchers indeed was the exact same as a flaw being auctioned on the site -- a bug in an add-on component of an open source e-mail application called "SquirrelMail" -- and that it had since been patched by the vendor. However, he said the site is preparing to start an auction on a new flaw found in the newest, patched version of SquirrelMail.
"The second auction researchers claimed to have foiled was instructions for exploiting a known vulnerability in the Linux operating system. The instructions hackers posted online for exploiting that flaw were similar to the exploit currently up for auction, WabiSabiLabi technicians told washingtonpost.com in an e-mail.
"The company is touting both incidents as an example of how their service will serve to make software users safer in the long run."
Read more: Site Plans to Sell Hacks to Highest Bidder.
Posted by: Aneel | July 13, 2007 10:27 AM | Report abuse
Posted by: hhhobbit | July 15, 2007 9:42 PM | Report abuse
Posted by: Gwyn Fisher | July 18, 2007 12:10 PM | Report abuse
Posted by: Gwyn Fisher | July 18, 2007 12:12 PM | Report abuse
Posted by: wourorcoubret | July 31, 2007 11:45 AM | Report abuse
Posted by: Sally, project manager | August 28, 2007 12:03 PM | Report abuse
The comments to this entry are closed.