Security Firm WSLabi develops Auction Site for Zero-Day Bugs

WSLabi site screeshot

Wabisabilabi (AKA WSLabi), a vendor-independent Swiss laboratory is in the process of enabling hackers, security experts and software companies to sell vulnerability data to security dealers and software firms.

The company claims to apparently offer the very first zero-day vulnerability security research exchange.

Herman Zampariolo, chief executive at WSLabi, stated, “We set up this portal for selling security research because, although there are many researchers out there who discover vulnerabilities, very few are able or willing to report it to the ‘right’ people due to the fear of it being exploited.”

Further Zampariolo continued that even though researchers had studied approximately 7,000 publicly revealed vulnerabilities in 2006, the number of new vulnerabilities detected in code could be as high as 139,362 a year.

“Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals,” he said.

Interested researchers need to first register after which they can submit their findings to the exchange. Following that, WSLabi will confirm the research by analyzing and duplicating it at their independent testing lab.

After all this, WSLabi will package the findings with a proof of concept, which can finally be sold to the marketplace through three methods from the marketplace platform:

  • Starting an auction, predefined starting price
  • Selling to as many buyers as possible at a fixed price
  • Selling it exclusively to one buyer

Roberto Preatoni, strategic director at WSLabi, said: “Before we have even launched the marketplace there are already three new vulnerabilities available from security researchers.

“The vulnerability research is associated with Linux, Yahoo Messenger and SquirrelMail.

“This shows that this venture is filling a gap within the security research market, a place where security researchers are confident that they will get the right value for their findings.”

But it is absolutely essential for experts and buyers to get themselves identified to WSLabi to make certain that they are genuine.

Any security research material that is through an illegal source or activity cannot be submitted in any circumstances by the researchers.

On the other hand, buyers too will be cautiously examined before they are given access rights to the auction platform, in order to slim the risk of selling the correct things to the wrong people.

Researchers and buyers can use the marketplace absolutely free of charge for the first six months.

However it is important to note here that although it is necessary for all parties to identify themselves to WSLabi, no personal information will be revealed or open in the public domain. Each buyer and seller will have a nickname under which they will trade.

The exchange also targets collecting a global database of “every piece of IT security research ever found”.

So now if you detect any security vulnerability in Windows or Linux etc you exactly know what to do.