7/18/2007

Hypocrisy in the Exploit Market


In the recent frenzy of comments on WSLabi that appeared after our first round of press-releases, we came across one post that we consider particularly interesting.
It has been written by Ben Laurie and posted on his blog. This post deserves to be commented a little, as it partially hits some good points but it also shows evidences of lobby-driven press coverage influence (we are referring here to some articles recently appeared on the press).
In bold, our comments.

_________________________________________________________________

"I am amused to read about an auction site for zero-days. Why am I amused? Not because I think that selling zero-days is cool, but because of the massive hypocrisy by other zero-day vendors.

“How do you know bidders aren’t people with nefarious purposes”

wails Terri Forslof of zero-day vendor, TippingPoint. I don’t know, Terri, but I’ve been wondering how you figure that out for some time.

Companies like TippingPoint and VeriSign’s iDefense both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a “patch” to plug the security holes.

Aren’t they nice? They only tell paying customers about the flaws before they’re patched. That’s clearly different from WabiSabiLabi, who only tell paying customers about the flaws before they’re patched. Oh, wait…

There is a good point here about the traditional vendor's business model and "responsible disclosure" policy but also a misunderstanding that we need to clarify.

WSlabi is indeed introducing a step-ahead in the way the disclosure is handled. In fact, everybody can get informed about the existence of a vulnerability just by browsing our marketplace. They don't need to buy the related security research in order to be alerted while, with traditional security vendor's business model, only the paying customers gets alerted.

Now, who is more ethical?

This really does amuse me, though

WabiSabiLabi’s founder said the company currently has no plans to notify affected vendors, saying that could ultimately decrease the price buyers are willing to pay for any one vulnerability.

Now, the dodgy geezers at WabiSabiLabi are trying to convince us that they would only sell to well-intentioned people. How can they possibly square that with the idea that buyers will pay more for unfixed vulnerabilities? What possible good motive could such a buyer have?

Of course, I’m having a hard time figuring out why anyone would be buying these vulnerabilities in the first place: perhaps the story is that they will get competitive advantage by being able to claim that they have fewer vulnerabilities? I’m looking forward to the adverts: “XYZ - now with fewer security holes than competitive products! Get it before they outbid us!”.

Any security company, which is doing legitimate penetration tests and rendering security services to customer might be interested in buying from the marketplace.

The reason it's obvious as it gives a huge competitive advantage against the competitors.

Having clarified these points, we really enjoyed Ben's post. We'd like to see more of such challenging and constructive comments...