There has been some press this month about a new market for software vulnerabilities called WabiSabiLabi. The name is fascinating in its own right (wabi-sabi means impermanence in Japanese, or something like that), but it’s the market that’s really intriguing.
Taking a black market white
It’s a pretty sure bet that hackers have been selling vulnerabilities for as long as software has existed. Some hackers are clearly bad (black hats), and either use these vulnerabilities themselves, or sell them to other criminals. Other hackers are clearly good (white hats) and report these vulnerabilities (because they are ethical, or afraid of jail time) to people who will fix them.
But what about all those hackers (or “security researchers”) who are neither black nor white … who are not particularly ethical or unethical, but just want a fair price for the knowledge they have?
As an example, the current scheme from Mozilla for inducing reporting of Firefox vulnerabilities hardly seems compelling. Five hundred dollars and a t-shirt. A great price if my vulnerability is minor. A terrible price if I can use it to steal thousands of credit cards. (Of course, this leaves out the price of getting caught, important to some, not so much to others.)
So fair valuation of vulnerabilities seems like a good place to start getting hackers to be less bad. And WabiSabiLabi is hoping their market will become the place where fair valuation occurs. If they succeed they will have created a white market for what often happens on the black market. And that, in and of itself, would be a great service to all computer users.
Trust me, but don’t know me
To succeed WabiSabiLabi will have to solve many problems, but perhaps the paramount one is that of trust. All sides in this market have reasons to be mistrustful. Here’s just a short list:
* Hackers have to trust that they won’t be prosecuted for any vulnerabilities they might report (or be identified in any way, which might get them associated with any of their previous illegal activity).
* Buyers have to trust that the hackers haven’t previously sold the vulnerability to someone else.
* Buyers have to trust that the market maker (WabiSabiLabi) has verified the vulnerability (since they won’t be able to verify before they buy it).
* Hackers have to trust WabiSabiLabi to give enough information to buyers to communicate the importance of the vulnerability, but withhold enough information from the buyers that they can’t figure it out for themselves (which, honestly, puts WabiSabiLabi in a tricky ethical position, since, what if this vulnerability could, for example, bring down the internet …. wouldn’t ethics require that they report it to the appropriate authorities … and, in which case, would the hacker get paid …? And if so, by whom …?).
* Governments and software producers have to trust that the other buyers on the market are legitimate. (But would the market really work if all of them were “legitimate”?)
To be half-baked, or liquid
These are all fairly high hurdles for WabiSabiLabi to clear. It’s not for nothing that this idea was called half-baked on TechCrunch. And while half-baked it might be, it is a worthy idea to pursue … if it can actually be done.
WabiSabiLabi has their work cut out for them.
If a vulnerability was auctioned on the internet, and no one bid on it, would it be worth anything …? 
As always, thanks for listening.
~alex
Loading ...
If you’re interested in reading more about software vulnerabilities markets, check out:
http://ddanchev.blogspot.com/2006/05/shaping-market-for-security.html
http://ddanchev.blogspot.com/2005/12/0bay-how-realistic-is-market-for.html (which includes links to appropriate academic research)
http://labs.idefense.com/
and http://www.zerodayinitiative.com/
Also, it’s nice to know that I beat The Economist to a story:
This week they had this story to lead their Science and Technology section of the magazine: http://www.economist.com/science/displaystory.cfm?story_id=9507422