7/10/2007

Squeezing the lemon twice


WabiSabiLabi's philosophy is to provide a way to maximize Security Researchers' reward.

We consider the Security Researcher a valuable company's asset, in this view beside the revenues generated by the marketplace, we are willing to provide the Security Researcher with a system to guarantee a stream of extra revenues over the time, based on our Vulnerability Sharing Club (VSC) program.
Each Security Research sold through the marketplace without the "Buy exclusively!" option, will automatically qualify to enter into the WSLabi's VSC program.

To each of those Security Researches will be assigned a value in thousands (rounded to the upper thousand), correspondent to the maximum price it had been purchased from the marketplace.

Example:

To make it simple, let's assume that our VSC program will be listing only two hypothetical security researches, submitted by two different researchers to the marketplace. The first is sold at a maximum price of 4000 euros, while the second is sold at a maximum price of 16,000 euros.


The assigned points will be:


- 4 points to researcher 1

- 16 points to researcher 2

Total assigned points = 20


At the end of each quarter, 10% of the generated revenues from our VSC program, will be distributed to both researchers, proportionally to the assigned point.
If, for example, the VSC program generated in the fiscal quarter revenues for 200,000 Euros, 20,000 Euros will be assigned to the researchers:

Researcher 1: 20,000 / 20 (total assigned points) * 4 = 4,000 Euros

Researcher 2 : 20,000 / 20 (total assigned points) * 16 = 16,000 Euros


Every three months (fiscal quarter) the points for each Security Research contained in WSLabi's VSC package will be assigned to the correspondent Security Contributor.
At that point, a share on the total revenues generated by the VSC sales will be distributed among the Security Contributors, proportionally to the total points assigned to them.

As long as the Security Research will stay in the VSC package, the Security Contributor will keep cashing royalties from his intellectual property.
Each Security Research will be considered accountable as long as it has not become public or patched or outdated and anyway for a maximum period of 1 year.

If the Security Research is related to a vulnerability that has become public, patched or outdated by new software releases, it will be taken away from our VSC program and the relevant points will be deducted from the next quarter to the correspondent Security Contributor.

In a nutshell: WabiSabiLabi contributors will be rewarded:


- from the marketplace, having also the possibility to perform multiple sales from the same security research, therefore cashing more than one time

- from our VSC program, where submitted vulnerabilities will allow to obtain a share of the revenues generated by marketing the VSC services. The share will be proportional to the price obtained through the marketplace and will last as long as the vulnerability becomes patched, disclosed or outdated and for a maximum period of 1 year.