WabiSabiLabi Walkthrough

Hello folks, since we received a lot of questions about the whole marketplace procedure we'd like to point out some of our policies.

First thing, the researcher needs to sign up to our website: from this point on he can start submitting his work to the lab.

Please note that before selling anything, he'll be asked to fax or email his ID card details and a landline phone number, that we'll use to verify his identity.

We usually need full details about a vulnerability, so we might start a direct correspondence with the researcher, if necessary. Every communication is encrypted with PGP/GPG (here's our public key).

Once we get all the required details we can start testing the vulnerability.
Even if we are doing our best to speed up this part of the process it still requires some days: you can help us by sending as much information as you have about the vulnerability, i.e. debugger output, commented proof of concepts and step-by-step methods to trigger the vulnerability, in case it's a complicated vulnerability to exploit.

Despite our dedicated entry in our F.A.Q. page we are often asked which vulnerabilities we will accept or reject:

- all vulnerabilities related to network services, network clients, standalone clients, web applications and network devices are accepted and tested.

- we DO NOT accept vulnerabilities in specific websites, like for example eBay, Gmail, Hotmail, online casinos etc.

Once the vulnerability has been tested and accepted, we decide a starting price and a selling strategy together with the researcher, who will then receive our NDA. This must be returned signed, via fax or mail.

At this point we are ready to publish the vulnerability.

When the vulnerability is sold we will pay the researcher via paypal to his verified account or via wire transfer to his bank account.

If you want to be a bidder all you have to do is subscribe to our portal and provide the papers required to check and verify your identity. Please note that we only accept payments coming from a verified bank account in your name.

That's all.

Our purpose is raising awareness and reducing risk and contributing to the research of new vulnerabilities by both helping and protecting researchers and giving them appropriate compensation for their amazing work.

1 comment:

Anonymous said...

When an item is auctioned multiple times does it receive a new ID number each time?

Im interested to see you sell something Dutch, havnt seen you actually use this sales method yet.