No. 1 Story

HP job cuts loom for Australian employees

A number of Australian employees of Hewlett-Packard are facing the loss of their jobs as the global computer giant looks to slash its worldwide workforce by up to 30,000.

read more

Related Articles

Adoption of cloud computing has reached a tipping point  - but don’t expect legacy...
Read More
In yet another blow to the Facebook IPO this week, following the withdrawal of...
Read More
Recruitment technology and social media have played a significant role in growing business in...
Read More

More From

Popular Threads

Security vulnerabilities open for bidding

Stephen Withers
Monday, 09 July 2007 04:31

Your IT - Home IT

View Comments
The motivation for creating malware has switched from fame to money, and a Swiss operation thinks security researchers are ready to make a similar transition.
WSLabi has set up a marketplace allowing security researchers to sell the fruits of their labours without accepting whatever 'bounty' (if any) the corresponding developer offers, or having to resort to the black market.

"[A]lthough there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited," said Herman Zampariolo, CEO of WSLabi.

Buyers and sellers of information will be required to identify themselves to WSLabi, but nicknames will be used by the parties.

Sellers can choose between a straight auction, exclusive sale at a fixed price, and non-exclusive sale at a fixed price. WSLabi officials say they will help security researchers determine the method that should maximise their returns.

The company also says it will verify submitted vulnerabilities in its own testing labs, and will vet prospective buyers "so that the risk of selling the right stuff to the wrong people is minimized."

The auction site has been running for almost a week. Four vulnerabilities are on offer (Linux kernel memory leak, Yahoo Messenger remote buffer overflow, Squirrelmail GPG plugin command execution, and MKPortal SQL injection), but only one bid has been made on the Linux and Squirrelmail issues. The €600 bid for the Squirrelmail vulnerability is well below its "buy now" price of €1750.

WSLabi will not charge a commission during the first six months of operation. According to CNet, it intends to levy a 10 percent fee on buyers and sellers.

WSLabi's marketplace raises two main issues.

Firstly, is it right that researchers are compensated for their efforts at a market-determined price (as are the programmers that create the vulnerable software in the first place), or is this a form of extortion? Should vulnerabilities in commercial software be treated differently to those in open source and other non-commercial projects?

Secondly, can the company be relied on to exercise due diligence in checking the identities and backgrounds of buyers and sellers? The New York Times quoted David Perry, director of education at Trend Micro as saying "who is to judge if the buyer on this auction is a criminal, or a hostile foreign government, or what? There are well known and well established methods to bid on an auction anonymously. Like the cartoon said, 'On the Internet, nobody can tell you’re a dog.'"

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases