An eBay For Hackers

cyberdelicat writes to let us know about a Swiss security firm called WabiSabiLabi that is causing waves with its open auction for zero-day security vulnerabilities. While WSLabi claims they will thoroughly vet both buyers and sellers of vulnerabilities, many researchers are skeptical about how effectively they can do this. The Washington Post article mentions the guy who almost opened a similar auction site several years back, to be called Zero-Bay, but pulled the plug at the last minute. SearchSecutiry notes that some security researchers are now referring to WSLabi as "zerobay" as they undermine the auction site by reproducing and publishing vulnerabilities as soon as they appear for sale.

Hmm

[UncleWilly]

Only 4 Items for sale...and 550 euro for the Linux Kernel memory leak sounds fishy with only 1 bid

Re:Sounds dumb

[Nazlfrag]

There is nothing I can think of that is illegal about not immediately disclosing any security vulnerability a professional researcher or basement dwelling hacker stumbles across. There is also nothing illegal about providing exploit riddled software according to licenses I've read. What is illegal is robbing peoples bank accounts. I'm fairly sure that these guys aren't planning to keep the best hacks undisclosed while they rob banks (though it would be an interesting twist). I'm fairly sure they will be able to track the dissemination of these exploits far better than the existing markets.

Researching security holes should be a legitimate and profitable R&D investment, and should be done in an up front manner such as this rather than via the black market where your dire vision already thrives.

Well it depends

[Sycraft-fu]

Quite often, it is illegal to sell someone something if you should reasonably know they are planning on using it for an illegal purpose. As a simple example, a gun dealer in in a world of shit if someone comes in and says "I need a gun so I can go kill my wife, what do you have for me?" Basically, you are an accessory to a crime if you have or should reasonably have knowledge that a crime is going to be committed and you provide support, material or otherwise, for the commission of the crime. So while not disclosing a venerability is legal, selling it to someone that you have a good idea is going to use it for criminal means is illegal. The ignorance defense only goes so far, while being an accessory requires knowledge of the crime (you can't be charges for letting someone in a house if you legitimately believed they should be there, for example) it doesn't require that it was spelled out for you. If there was enough evidence that you should have known what was happening and were just being willfully ignorant, that doesn't cut it, especially if there was profit involved.

There are additional problem when you start dealing with certain classes of items. If something has substantial legal uses you are on much more solid ground. To use the gun example again, guns are widely used for hunting, target shooting, personal and home defense, all perfectly legal uses. Thus it isn't a stretch to assume someone has a legal use for it, unless there's specific reason to believe otherwise. However if the item in question has little to no legal use, then there can be problems. I see exploits as being mostly in this category. Other than the companies, who really has a legit use for the details behind an exploit? Now this isn't a challenge to try and come up with obscure reasons someone might want it, it is something to think about in general. What would people by and large want to buy these for? If the majority of realistic answers are illegal ones, then you can have a real problem when you sell it if you aren't real careful.