Home > Uncategorized > Vulnerability Information: Sold to the Highest Bidder?

Vulnerability Information: Sold to the Highest Bidder?

Every once in a while I read something in the news that is so outrageous that I just have to rant a bit, so here goes. The founders of a certain Web site, WabiSabiLabi, have recently announced their intention to create and run a vulnerability auction site. They will verify that each vulnerability that is reported is bona fide and will with each vulnerability they sell provide proof of concept. Initially (i.e., the first half year) access to the site will be free; afterwards buyers and sellers of vulnerability information will be assessed a charge of 10 percent for each transaction in which they engage. Ultimately, the founders of this site think that the majority of the profits they make will come from services based on a vulnerabilities knowledge base that will be created from the vulnerability information that is auctioned.

The founders of the WabiSabiLabi site claim that by holding auctions for vulnerability information they will be bolstering the practice of information security. They assert that currently the researchers who discover vulnerabilities must too often resort to giving away the information they discover for free; the information may even fall into the hands of computer criminals. Instead, according to the founders, researchers will be compensated fairly for their efforts. WabiSabiLabi is being funded by individual investors.

I have no argument with those who criticize the way that vulnerability information is currently disseminated. Anyone who finds a vulnerability is currently in many respects stuck between a rock and a hard place. Vendors in whose products vulnerabilities are found put pressure on vulnerability researchers to disclose what they have found to them and only them. Many vendors look down upon (and too often openly criticize) vulnerability researchers who do not promptly disclose vulnerabilities exclusively to them. At the same time, however, many vendors act in a less than desirable manner once they obtain new vulnerability information in that they tend to be much too slow in developing, testing and distributing suitable patches. While the vendor takes its own sweet time, other vulnerability researchers (or worse yet, the black hat community) might discover and announce the same vulnerability, robbing the original finder of credit for originally discovering the vulnerability. Vulnerability researchers who simply publicly post their discoveries receive credit for finding vulnerabilities, but are widely criticized (especially by vendors) for posting such information before patches are available.

Now enter WabiSabiLabi, which is now promising to fill the pockets of vulnerability researchers (while all the more filling its own pockets). What WabiSabiLabi’s founders do not realize is that by creating an auction site for vulnerability information, they are upping the stakes for vulnerability management far more than ever before. With the highest bidder getting the early vulnerability information independently of the apparent legitimacy of the use of this information being scrutinized, WabiSabiLabi is opening the door for organized crime, pernicious governments, and unethical individuals to pool resources to win auctions. The white hat community will be forced to spend more than ever before to have a chance of winning auctions, and the more spent in auctions, the less resources will be available for badly needed security controls. Furthermore, many of the so-called “vulnerability researchers” are actually nothing more than members of the black hat community who will undoubtedly be exuberant that WabiSabiLabi will provide them with a large piece of their livelihood. So much for WabiSabiLabi’s founders’ claims that they are actually improving the practice of information security.

What we have here is a major ethics issue, one that WabiSabiLabi has entirely overlooked. Vulnerability information ending up exclusively in the hands the highest bidder means in effect that ethical considerations are completely ignored by the seller. Becoming in effect an employer for the black hat community and its activities is unconscionable. There appears to be one and only one logical course of action for information security professionals—to not aid and abet the enemy, so to speak, by refusing to participate in WabiSabiLabi’s vulnerability actions. At the same time, however, there is some consolation—reports indicate that to date not many individuals and organizations have registered themselves for the auctions. There are, after all, many other potential sources of early vulnerability information, and WabiSabiLabi is by no means the only player in town. Perhaps reason and ethics will ultimately prevail, and WabiSabiLabi will change its approach to disseminating vulnerability information.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.