Wednesday, July 11, 2007

Zero-day auction

From the recent media coverage,slashdot’ing, list banter, and blog posts many know about WabiSabiLabi’s new zero-day auction. Much of the conversation revolves around ethics, “is this good for the community?”, speaking in the best interest of consumers, software vendors, security researchers, and security vendors. The ethics are an important sure, but I don’t think it’ll have a whole lot to do with whether or not the marketplace will get off the ground.

For my part I believe vulnerabilities have value and where there is value there will be a marketplace for traders (above ground or under ground). The traders being security vendors (IDS/IPS/VA), security researchers, software vendors, and the black hats. Security vendors already buy vulnerabilities from researchers, through TippingPoint’s ZDI initiative for instance, and rumor has it black hats are opening their pocketbooks as well.

That means the only group not participating so far are software vendors and of course they’re not going to want to pay for something they’ve always gotten for free. So its easy for them to say “ITS BLACKMAIL!”. My question for them is, despite how they feel, do they have a responsibility to at least to attempt to bid for a vulnerability to defend their customers? I think so. That and invest more into their SDLC so there is less to bid on.

Will auctions impact the value of a vulnerability by making is existence known? It should, probably both positively (causing a bidding frenzy) and negatively (letting others know where to look). Either way the bidders will have to adjust their price tolerance accordingly, but it shouldn’t kabosh the whole idea. What I like about the idea it gives researchers more options. If they want to put their vulnerabilities on the open market, they can. If they choose full disclosure, OK. If they want to sell discretely to TippingPoint or go to the software vendor directly, they have the choice.

For the time being I’ll stick to my original comment:

“All this would take is a couple of successful transactions, and it could cause a big shift in the way we traditionally think about the vulnerability disclosure process."


Anonymous said...

I think selling a vulnerability to someone other than the vendor is highly unethical, no matter if they check their buyer or not. It feels a bit like going on ebay and selling a copy of the key to someones house.


Jeremiah Grossman said...

Im not saying your right or wrong ... but what do you think about governments weaponizing this area? i.e. finding vulnerabilities, creating exploits, and developing malware. Software vendors are not notified.