Topic: Auctions for Hackers - WabiSabiLabi site sells vulnerabilities

[Amker]

This is a site where security researchers auction their most recent disclosures. Is this right? Sure, it's great that these guys are finally getting some dough for all their work, but what if these flaws are bought out by hackers that will never disclose them to the original program/site creators? I don't think that's too good, well... let's just think about it, if you were to buy such a vulnerability for, let's say $75-100.000 would you 
give it to the vendor? Or would you make a profit out of it?  Of course you wouldn't give it to the vendor, that's
stupid! That would mean throwing your money out the window!

The system is similar to eBay's. You have to create an account, that will be checked in order for them to discover whether you're a malicious user or not. (I really wonder how they do that since most hackers know how to stay stealthy) After that, you can participate in any auction, and, of course, the discovery goes to the highest bidder.

As I've seen on NetworkWorld, there are several good things about this, though, for example, not everyone will know about the vulnerabilities but only one person. So, if he or she has no evil intentions, flaws can be fixed before hackers can get hold of them. Also, this will increase the value of vulnerabilities earning researchers more money.

A similar service was conducted by eBay some time ago, but they decided to withdraw it, because it was considered to be dangerous for Internet security. There has been a poll about this and 88 percent of the people that were questioned have responded that they consider such sites a threat, as NetworkWorld informs. In my opinion, this type of site can be great, if used adequately.
cw