7/10/2007

Squeezing the lemon twice


WabiSabiLabi's philosophy is to provide a way to maximize Security Researchers' reward.

We consider the Security Researcher a valuable company's asset, in this view beside the revenues generated by the marketplace, we are willing to provide the Security Researcher with a system to guarantee a stream of extra revenues over the time, based on our Vulnerability Sharing Club (VSC) program.
Each Security Research sold through the marketplace without the "Buy exclusively!" option, will automatically qualify to enter into the WSLabi's VSC program.

To each of those Security Researches will be assigned a value in thousands (rounded to the upper thousand), correspondent to the maximum price it had been purchased from the marketplace.

Example:

To make it simple, let's assume that our VSC program will be listing only two hypothetical security researches, submitted by two different researchers to the marketplace. The first is sold at a maximum price of 4000 euros, while the second is sold at a maximum price of 16,000 euros.


The assigned points will be:


- 4 points to researcher 1

- 16 points to researcher 2

Total assigned points = 20


At the end of each quarter, 10% of the generated revenues from our VSC program, will be distributed to both researchers, proportionally to the assigned point.
If, for example, the VSC program generated in the fiscal quarter revenues for 200,000 Euros, 20,000 Euros will be assigned to the researchers:

Researcher 1: 20,000 / 20 (total assigned points) * 4 = 4,000 Euros

Researcher 2 : 20,000 / 20 (total assigned points) * 16 = 16,000 Euros


Every three months (fiscal quarter) the points for each Security Research contained in WSLabi's VSC package will be assigned to the correspondent Security Contributor.
At that point, a share on the total revenues generated by the VSC sales will be distributed among the Security Contributors, proportionally to the total points assigned to them.

As long as the Security Research will stay in the VSC package, the Security Contributor will keep cashing royalties from his intellectual property.
Each Security Research will be considered accountable as long as it has not become public or patched or outdated and anyway for a maximum period of 1 year.

If the Security Research is related to a vulnerability that has become public, patched or outdated by new software releases, it will be taken away from our VSC program and the relevant points will be deducted from the next quarter to the correspondent Security Contributor.

In a nutshell: WabiSabiLabi contributors will be rewarded:


- from the marketplace, having also the possibility to perform multiple sales from the same security research, therefore cashing more than one time

- from our VSC program, where submitted vulnerabilities will allow to obtain a share of the revenues generated by marketing the VSC services. The share will be proportional to the price obtained through the marketplace and will last as long as the vulnerability becomes patched, disclosed or outdated and for a maximum period of 1 year.

21 comments:

Anonymous said...

That's actually hyper-cool, good idea!

Anonymous said...

yeah, this sounds interesting on many levels...

Anonymous said...

Any way to allow the seller to set the length of the auction? And maybe for a 5% fee have wabisabi send emails to all buyers.

WabiSabi Labi said...

The lenght of the auction is already decided together with the seller. Emails are already sent (for each new posted vulnerability) to all those who registered and asked to receive a notification.

Anonymous said...

so.. 90% of the vsc revenues goes to wslabi, right? or have i misunderstood something?..

WabiSabi Labi said...

Yes, as the 90% of the revenues coming from the marketplace goes to the researcher (for the next six months will be 100%)

Anonymous said...

How is selling a vulnearability in a microsoft product to someone other than microsoft responsible? No matter how much the buyer is evaluated, I don't see how that can be responsible.

This will only fuel the debate about making vulnerability discovery illegal.

WabiSabi Labi said...

Congratulations! You hit the bull's eye.

The point is that today vulnerabilities are either sold to security vendors (who are disclosing them to the software vendor at their own discretion, or not at all) or to the black market.

If you feel that the vulnerabilities are a "software vendor" only matter, then you cannot deny that from this marketplace the vendors can get immediate notice about their existence.

At that point, it's up to them to decide what to do. Nobody here is forbidding them to place a bid.

Don't forget (as you can read from our FAQ page) that we leave to the researcher the decision whether to disclose it to the relevant software vendor or not. The marketplace will report his decision on the matter.

Anonymous said...

If Researcher Abel sell 1 Vuln for each $1000 for a total of $1000, and Researcher Cain sells 10 vulns for each $999 for a total $9990

Then Abel will get 1 point and Cain will get 0 points even if Cain had more sale, and did more reaseach.

Or did I miss the part where WSLabi assigns fraction of a point ?

WabiSabi Labi said...

No, anything UP TO 1000 will count as 1 (rounded to the upper limit). In this way, Abel will get 1 point and Caine 10 points (provided that the 10 vulns sold by Caine were all different)

Anonymous said...

What happens if two researchers submit the same/similar vulnerabilities? Will they both be able to auction it, setting different minimums and lengths? Or will the first be the only one?

It seems that the lemon might be squeezed more than twice..

If the second researcher is rejected they could make a public release, destroying the value in the market place.

WabiSabi Labi said...

We tend to serve on first-arrived, first-served bases.
If the second reseller will decide to disclose the vulnerability, just to ruin the business of the guy who discovered before him, of course nobody can deny him the right to do it. But I guess he should think that the next time the situation might be reversed...
In this view, we tend to believe that ethical people will behave in a fair way.
The whole security industry is based on trust after all.

Anonymous said...

as long as you keep publishing the details about the vulnerabilities its matter of dayz before someone else will find it and publish it.

i.e till you change the system to hide the details of the vulnerability but still give enough information not much people going to use it.

p.s start answering your phone.

WabiSabi Labi said...

Yes, you are right, we are learning over the time. In the future we'll be careful in not revealing too much.

About answering the telephone,when calling us you should account our timezone (GMT+1) and the Swiss national/regional festivities.

PS: we are implementing an answering machine, we are a startup, people tend to judge us as if we were present on the market since ages...

A hug

Anonymous said...

A hypothetical situation where a really lame one-of-a-kind software is used by a net of well-known websites and potentially reveals sensitive information worthy let's say mid 5 digits for our target audience (I try to deduce a legitimate sell price for something I can easily imagine a criminal paying 10 times that).
Is there any way to sell such thing using your site?
I mean, if you disclose 10% of what is it, it is shut down on the same day.
Or maybe I miss the whole point?

WabiSabi Labi said...

That kind of vulnerability is not a kind of vulnerability we would like to see traded on our website.
We keep receiving submissions on such vulnerabilities and we keep rejecting them.

Anonymous said...

Hi guys,
I am a bit confused with the "condition that the provided security research material must not come from an illegal source/activity".
Whose jurisdiction is taken into consideration?
Is it possible for one to find a vulnerability on remote computer that its owners never permitted such quest in such a way that the source/activity of the research findings would be considered by you legal?
Another question, and I do not insist on answering it on the same opportunity, you will release the info only by order of the Swiss Court, but what are (are there?) cases when you are obligated to inform the authorities of information you've been provided with?

WabiSabi Labi said...

"I am a bit confused with the "condition that the provided security research material must not come from an illegal source/activity".
Whose jurisdiction is taken into consideration?"

Generally we'll refer to the Swiss jurisdiction, which is pretty much pointing out the same rules as the EU and US

"Is it possible for one to find a vulnerability on remote computer that its owners never permitted such quest in such a way that the source/activity of the research findings would be considered by you legal?"

In that case, we would consider the submission as non appropriate for our marketplace.

"Another question, and I do not insist on answering it on the same opportunity, you will release the info only by order of the Swiss Court, but what are (are there?) cases when you are obligated to inform the authorities of information you've been provided with?"

Any cases involving criminal activity, this is why we tend to be picky in evaluating submissions and possible buyers.

Anonymous said...

How will you evaluate a submittal in software that costs several thousand a license?

Will you request to use the researchers systems? Request a video of the attack? Or just simply reject it?

WabiSabi Labi said...

We have our laboratories as well as a large network of corporate clients that accepted their systems to be used as a test. In exchange, they will benefit of advanced knowledge of the existence of the vulnerability.

Anonymous said...

In addition to the post from anon and wabisabi on July 18, 2007 1:16 AM

Turning away another seller would falsely inflate the value in the market place. Take for example the early auctions available that were pulled because the vulnerabilities were very simple and easy to find. If the other researchers had all posted their finding here the value would have fallen to 0 in the market place, reflecting the actual value of these easy to find vulns.