
"We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities, very few of them are able or willing to report it to the right people due to the fear of being exploited," Herman Zampariolo, the company’s CEO, said in the statement.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals."
The new business raises the debate over responsible disclosure. Some critics today denounced the venture, saying it invites criminal buyers and exposes end-users to unnecessary risk.
According to the company, registered users can sell their research – once verified by WSLabi’s own laboratory – through an auction, to as many buyers as possible at one price, or privately to a single purchaser.
Both buyers and sellers will be examined to ensure they are legitimate, according to the announcement.
"Researchers cannot submit security research material which comes from an illegal source or activity," the statement said. "Buyers will also be carefully vetted before being granted access to the platform so that the risk of selling the right stuff to the wrong people is minimised."
But Gunter Ollman, director of security strategy for IBM Internet Security Systems, told SCMagazine.com today that he disagrees with the auction site.
"It’s a close match to what’s been existing in the underground," he said. "We’ve got the same sort of people finding these bugs, looking to make money off these bugs, and here we have another channel for them to potentially sell them."
Experts said that legitimate researchers do not want to get paid extra for their findings, which are a part of their jobs.
Ollman added that he wonders how effective the vetting process is and whether WSLabi is profiting through the research, perhaps through penetration tests or consulting services.
Meanwhile, John Hill, security evangelist at McAfee, told SCMagazine.com that he worries identity thieves claiming to be a reputable researcher may try to purchase the vulnerabilities.
He also questions whether policies are in place to guarantee sellers will not turn around and peddle the same research in an underground forum. And Hill said he doubts WSLabi plans to report the research to the appropriate vendors, like the bounty programs at TippingPoint and VeriSign iDefense do, thereby opening the risk for end-users.
Roberto Preatoni, WSLabi's strategic director, did not immediately return an email seeking comment.
So far, four vulnerabilities – among them, a Linux kernel memory leak and a Yahoo Messenger 8.1 remote buffer overflow – are listed on the marketplace. Asking bids range from $681 to $2,724. The only bid offered so far is for a SquirrelMail GPG plug-in command execution exploit.