Ben Laurie blathering

Hypocrisy in the Exploit Market

I am amused to read about an auction site for zero-days. Why am I amused? Not because I think that selling zero-days is cool, but because of the massive hypocrisy by other zero-day vendors.

“How do you know bidders aren’t people with nefarious purposes”

wails Terri Forslof of zero-day vendor, TippingPoint. I don’t know, Terri, but I’ve been wondering how you figure that out for some time.

Companies like TippingPoint and VeriSign’s iDefense both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a “patch” to plug the security holes.

Aren’t they nice? They only tell paying customers about the flaws before they’re patched. That’s clearly different from WabiSabiLabi, who only tell paying customers about the flaws before they’re patched. Oh, wait…

This really does amuse me, though

WabiSabiLabi’s founder said the company currently has no plans to notify affected vendors, saying that could ultimately decrease the price buyers are willing to pay for any one vulnerability.

Now, the dodgy geezers at WabiSabiLabi are trying to convince us that they would only sell to well-intentioned people. How can they possibly square that with the idea that buyers will pay more for unfixed vulnerabilities? What possible good motive could such a buyer have?

Of course, I’m having a hard time figuring out why anyone would be buying these vulnerabilities in the first place: perhaps the story is that they will get competitive advantage by being able to claim that they have fewer vulnerabilities? I’m looking forward to the adverts: “XYZ – now with fewer security holes than competitive products! Get it before they outbid us!”.

1 Comment

  1. Hi, we came across your post and we decided to include it in our latest blog’s post:

    We tried to answer to some of your questions, i hope our answers will help you to understand better what we are doing at WSLabi.


    WSLabi staff

    Comment by zero — 18 Jul 2007 @ 2:49

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress