Hacks for sale, get 'em while they're hot!

Johannesburg, 16 Apr 2008

It has long been custom, as a sort of condition of truce between software vendors and hackers, that vulnerabilities that are discovered by security researchers are first disclosed to the affected vendor, or to a maker of security software.

Those who didn't comply, were branded "black hat" or worse, and could expect to be blamed for compromised systems.

This custom constitutes blackmail, says Roberto Preatoni, strategic director of WabiSabiLabi, a market for tested vulnerabilities and exploits.

"Security researchers have no duty, no obligation to disclose their findings to the vendor," says the Italian hacker and security lecturer. "The problem is, the market as it is built today, is blackmailing researchers on ethical grounds to disclose findings to vendors. It's a way for vendors to force researchers to get findings for free. Usually vendors work together with a lobbyist press to support this idea [that it's only ethical to do so]."

By way of analogy, he adds: "If you apply the same logic to pharmaceutical companies, they should disclose discoveries for free on the basis that it's useful to humanity."

A few people might argue that pharmaceutical companies have exactly that obligation, but the argument has deeper implications than just doing the right thing.

"The ethical thing," says Preatoni, "is to pay security researchers for a job they're doing, a job that's not been done by the vendor because of the cost of maintaining a thorough testing department. Competition is driving them to release products as early as possible, which means they sell vulnerable software, so they don't carry the cost of securing their own software."

This thinking led him to become involved with WabiSabiLabi, an online market where security vulnerabilities and exploits can be offered for sale by researchers.

Exploits submitted for sale are first verified by WabiSabiLabi, and a method of sale is agreed with the seller. Options range from set-price sales to single buyers, to open auctions.

"We have an obligation," points out Preatoni, "which is to try to do our best to understand in which hands the exploits end up. We don't allow anonymous buyers to buy anything. Any buyer should be carefully identified. For example, we ask the buyer to submit a landline number, and check that the person really exists. Then the person should submit a passport copy, which could be fake, but we only accept and release payment to bank accounts that match the passport. So it's difficult to fake all this."

The market has received 200 submissions so far, and though only a fraction have been sold, prices range from EUR200 to as much as EUR5 000.

"Organised crime doesn't need to come to WabiSabiLabi," he adds. "The black market has existed for long, and they are happy to pay a higher price anonymously, rather than going to the trouble of gaining access to our marketplace."

Another benefit of such an open vulnerability market is that it alerts users to vulnerabilities that would otherwise remain under wraps for days, weeks or even months, while vendors or security companies develop patches.

However, the success of the marketplace was threatened late last year by the arrest of Preatoni. As a penetration tester for Telecom Italia, he got caught up in a complicated and widespread investigation involving his employer, which was locked in corporate action battles with both rivals and government. His arrest was one of many, but was soon overturned by the courts. It was, and remains, damaging for a company whose success depends on trust.

Preatoni has vowed to continue working with WabiSabiLabi.

The ITWeb Security Summit 2008, to be held from 6 to 8 May at Vodaworld in Midrand, will be the first time since this announcement that he will take a public stage. He promises to explain how the WabiSabiLabi concept works, and why such a market for vulnerabilities is not only defensible, but desirable.