Despite mixed reactions from the security and software industry, the WabiSabiLabi software vulnerability auction site is doing well.
This is according to strategic director Roberto Preatoni, speaking at ITWeb Security Summit 2008, in Midrand, today.
Since its inception in July 2007, the site has amassed 1 500 subscribers. Security researchers have submitted more than 230 software vulnerabilities. "Software is sold vulnerable and these vulnerabilities have a value, so why not create an open marketplace in which to sell them?" asked Preatoni.
Software is sold with stringent licence agreements that no other industry would dare attach to a product or service, he noted. "Software is sold with no reverse engineering capabilities and the vendor is so protected by law. How do we know what is concealed in there?"
He used the motor industry as an example, saying if cars are discovered to be defective they are returned to the manufacturer who takes on the liability of those faults. "It should be the same in the IT industry, because lives are also connected to well-functioning software."
This is one aspect of why WabiSabiLabi was created. Another reason is to balance the security marketplace and provide security researchers with possible revenue from the service they provide.
Preatoni believes security researchers are seen negatively as long-haired, malicious, underground hackers. However, he said they have been painted with the wrong brush and are providing a valuable service to security and software vendors, as well as the public. "They are securing your machines."
The industry does not provide an adequate environment for researchers to create revenue from the work they provide. "Security researchers' work is exploited for free due to ethical blackmailing, wrong laws, abusing the de-facto position and the misconception of the researchers' role."
WabiSabiLabi provides a platform where security researchers cannot only sell their discovered vulnerabilities, but they can choose to do so either to the highest bidder, or through mass selling. Initially, Preatoni wanted to give vendors first option to purchase the vulnerability from the auction; however, several legal advisors explained that it was considered blackmail.
WabiSabiLabi vets buyers and sellers, requiring a passport copy and landline contact number, and double-checking the banking details against those sent to the site. In this way, said Preatoni, the site ensures illegal purchases are curbed.
Software vendors, for the most part, are angry at the concept of a vulnerability marketplace. While others - such as Microsoft - have been open-minded about the site and even given positive feedback.
Preatoni listed the top 10 "hit parade", of companies that most often check the WabiSabiLabi Web site. They are, from least to highest activity: SAP, VeriSign, Oracle, the US Army, F-Secure, Symantec, Veritas, IBM, Microsoft, and Cisco taking the lead.
* Read WabiSabiLabi blog about the Security Summit
Share