Technology news and Jobs 
Information Technology News Security vulnerabilities open for bidding
Information Technology News Security vulnerabilities open for bidding | Security vulnerabilities open for bidding |
|
| by Stephen Withers | |
| Monday, 09 July 2007 | |
  
Featured Whitepaper
5 Best Practices for Smartphone Support
"[A]lthough there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited," said Herman Zampariolo, CEO of WSLabi. Buyers and sellers of information will be required to identify themselves to WSLabi, but nicknames will be used by the parties. Sellers can choose between a straight auction, exclusive sale at a fixed price, and non-exclusive sale at a fixed price. WSLabi officials say they will help security researchers determine the method that should maximise their returns. The company also says it will verify submitted vulnerabilities in its own testing labs, and will vet prospective buyers "so that the risk of selling the right stuff to the wrong people is minimized." The auction site has been running for almost a week. Four vulnerabilities are on offer (Linux kernel memory leak, Yahoo Messenger remote buffer overflow, Squirrelmail GPG plugin command execution, and MKPortal SQL injection), but only one bid has been made on the Linux and Squirrelmail issues. The €600 bid for the Squirrelmail vulnerability is well below its "buy now" price of €1750. WSLabi will not charge a commission during the first six months of operation. According to CNet, it intends to levy a 10 percent fee on buyers and sellers. WSLabi's marketplace raises two main issues. Firstly, is it right that researchers are compensated for their efforts at a market-determined price (as are the programmers that create the vulnerable software in the first place), or is this a form of extortion? Should vulnerabilities in commercial software be treated differently to those in open source and other non-commercial projects? Secondly, can the company be relied on to exercise due diligence in checking the identities and backgrounds of buyers and sellers? The New York Times quoted David Perry, director of education at Trend Micro as saying "who is to judge if the buyer on this auction is a criminal, or a hostile foreign government, or what? There are well known and well established methods to bid on an auction anonymously. Like the cartoon said, 'On the Internet, nobody can tell you’re a dog.'" |
Tags
| < Next story in category | Previous story in the category > |
|---|
