eBay for security vulnerabilities

The swiss site wslabi.com is offering vulnerability information to the highest bidder.

From their press release:

“According to Herman Zampariolo, CEO of WSLabi, We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.”

I’m not sure what to make of this…

On one hand, it provides funding for security researchers to continue their work, and it forces (…) software vendors to keep up with the discoveries. Maybe it even helps to set a price for software security efforts, as anything omitted in the development process has to be paid for if it gets discovered.

On the other hand, it may allow bad people to get access to vulnerabilities before they can be fixed. Let’s say a flaw in a major transactional system would allow huge financial gains (or worse – military value) and could be bought by someone with more money or better judgement than the originator of the software.

Obviously this has huge ethical implications – it will be interesting to see how the founders of the site cope with this, or how they deal with it in the event of misuse by a bidder.