For a long time the business of vulnerability research has been complicated with concerns around responsible disclosure. In the perfect world, when research identifies critical vulnerabilities, the appropriate vendor(s) are notified, and a patch is released swiftly to negate the threat. In this way the process works for the ‘common good’, improving everyone’s security.
Obviously, things do not always work that way – there are several points at which the process can fail, ranging from vendors not getting notified before public (full) disclosure, to the patch not being produced quickly enough by the vendor. The often criticized component in the process is the researcher – the person probing the software to find the bugs. Developments over the past 5 years (for example 1, 2) have put a financial value on vulnerabilities, providing a mechanism for these researchers to make a living out of their work.
Many argue that researchers investing a great deal of their own time finding vulnerabilities and disclosing the details responsibly to vendors should receive some form of payment. But the introduction of money brings its own complications – chief of which is in direct contrast to the fundamental principles of responsible disclosure. As soon as a vulnerability is disclosed to the vendor, its value drops – the vendor will publish a patch. We enter a market where the bad guys may pay more for a new vulnerability, in order to use it maliciously, not disclosing information to any vendor.
Last week, saw the release of a website providing an auction site for vulnerabilities. To quote from the site:
"This exchange will create a portal where researchers, security vendors and software companies can interact in an open market to enable researchers to obtain the correct value for their findings. The exchange will become a global database of every IT security research ever found."
A black market will always exist for the trade of this sort of information, and we should note that this is far from the first website to provide a mechanism for the buying and selling of vulnerabilities.
A handful of vulnerabilities can be seen to be already available for sale on the site:
An auction site such as this raises several concerns. Questions over the procedure for control over who can actually purchase vulnerability details are not addressed in the single, rather woolly statement on the site:
"Buyers will also be carefully vetted before being granted access to the auction platform so that the risk of selling the right stuff to the wrong people is minimized."
There is little doubt that this site may gather some attention, but it will never become the ‘global database of every IT security research’. Despite its attempts at a polished, professional appearance, you have to question its existence. A recent posting on their blog does little to sway this opinion, with a call for iPhone ‘research’, that frankly touches on incitement.