WSLabi, a Swiss security research lab, announced its efforts to create an online marketplace for security research by creating an auction site dedicated to sell security exploits where researchers, security vendors and software companies can bid to buy code vulnerabilities.
The company claims the existing business model to reward researchers is a failure. In 2006, more than 7,000 flaws were publicly disclosed but that number could easily reach 139,362 if there were safe methods to disclose the flaws, as well as a way for researchers to be compensated for their work, WSLabi says.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," said Herman Zampariolo, head of the auction site.
Of course, this practice is bound to raise some concerns. However, the company says that buyers will be carefully vetted to minimize the risk of selling information to the wrong people. Whereas any exploits submitted to the site must be disclosed to WSLabi, which will verify they are genuine, and provide a "proof of concept" to the eventual buyer.
Users can start an auction with a predefined starting price, sell it to as many buyers as possible at a fixed price or sell it to just one buyer. Already, some code vulnerabilities have been listed on the site, including a remote buffer overflow in Yahoo Messenger, a Linux kernel memory leak, an SQL injection flaw in MKPortal and a SquirrelMail problem.