Sunday, July 29, 2007

A marketplace for software vulnerabilities

The July 21, 2007 issue of The Economist has an article about a Swiss company that has opened a market for software vulnerabilities:
Since economics, like nature, abhors a vacuum, a small industry of “security companies” has emerged to exploit the hackers' dilemma. These outfits buy bugs from hackers (euphemistically known as “security researchers”). They then either sell them to software companies affected by the flaws, sometimes with a corrective “patch” as a sweetener, or use them for further “research”, such as looking for more significant—and therefore more lucrative—bugs on their own account. Such firms seek to act as third parties that are trusted by hacker and target alike; the idea is that they know the market and thus know the price it will bear. Often, though, neither side trusts them. Hackers complain that, if they go to such companies to try to ascertain what represents a fair price, the value of their information plummets because too many people now know about it. Software companies, meanwhile, reckon such middlemen are offered only uninteresting information. They suspect, perhaps cynically, that the good stuff is going straight to the black market.Last week, therefore, saw the launch of a service intended to make the whole process of selling bugs more transparent while giving greater rewards to hackers who do the right thing. The company behind it, a Swiss firm called WabiSabiLabi, differs from traditional security companies in that it does not buy or sell information in its own right. Instead, it provides a marketplace for such transactions.

A bug-hunter can use this marketplace in one of three ways. He can offer his discovery in a straightforward auction, with the highest bidder getting exclusive rights. He can sell the bug at a fixed price to as many buyers as want it. Or he can try to sell the bug at a fixed price exclusively to one company, without going through an auction.

WabiSabiLabi brings two things to the process besides providing the marketplace. The first is an attempt to ensure that only legitimate traders can buy and sell information. (It does this by a vetting process similar to the one employed by banks to clamp down on money launderers.) The second is that it inspects the goods beforehand to make certain that they live up to the claims being made about them.

Herman Zampariolo, the head of WabiSabiLabi, says that hundreds of hackers have registered with the company since the marketplace was set up. So far only four bugs have been offered for sale, and the prices offered for them have been modest, perhaps because buyers are waiting to see how the system will work. A further 200 bugs, however, have been submitted and are currently being scrutinised.

No comments: