Via News.com -
An eBay-like auction site that sells vulnerabilities will improve security by ensuring researchers get a fair price for their work, its founders say.
"The existing business model to reward researchers is a failure," said Herman Zampariolo, chief executive of WSLabi, and the man behind the WabiSabiLabi auction site. A tiny minority of vulnerabilities currently get patched, he said, because IT experts aren't paid for their work in uncovering them: "If the firemen are not paid, it's not easy to extinguish a fire."
"As long as vulnerabilities are bought and sold privately, the value can't be the right one," Zampariolo said. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals," he added.
The site currently holds a remote buffer overflow in Yahoo Messenger, a Linux kernel memory leak, an SQL injection flaw in MKPortal and a SquirrelMail problem.
Although researchers analyzed around 7,000 vulnerabilities last year, he reckons the actual number of vulnerabilities found in code per year could be 139,362--a curiously exact figure, originally quoted by Gunter Ollmann of security company ISS, now an IBM subsidiary.
This situation led Zampariolo, previously chief executive of Italian network company iLight, to set up the WabiSabiLabi site, along with strategic director Roberto Preatoni, founder of the Zone-h.org cybercrime archive. So far, no bids have been posted, possibly because of delays in identifying the buyers, each of whom must use snail mail or fax to deliver proof of their identity and their bank account--electronic currencies are not accepted on the site. Around 20 buyers have been registered so far, as well as 30 sellers, who have provided another batch of flaws that should be on the site next week.
"We are going full steam ahead," Zampariolo said. "More vulnerabilities have been submitted, and we are certifying and formatting them. Tomorrow is Saturday, and no one is going home."
----------------------------
WSLabi, a Swiss marketplace and Lab for Security Research Exchange (WSLabi), has been founded by a group of security professionals who were unsatisfied by the way zero-days research is handled and security researchers are rewarded. The company will facilitate sale/purchase of Security Research by providing a secure market environment to maximize the security researcher's reward.
No comments:
Post a Comment