WabiSabiLabi, which bills itself as the eBay of software vulnerabilities, has borrowed a page from used car salesmen, except instead of talking up their affordable rates and low down payments, the outfit is championing the sale of a nasty sounding exploit that puts Unix boxes at risk.
The vulnerability resides in ClamAV, an open source anti-virus toolkit for Unix-based email gateways. Two weeks ago, WabiSabiLabi listed the auction of exploit code that targets the antivirus program, so far without a single person bidding on it. Enter the group's marketing monkeys, who in a blog post are trying to drum up interest.
"It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite by simply sending a specially crafted email to the vulnerable mail server," the spinmeisters write (their emphasis). "This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage."
The selling of exploits for cash is becoming increasingly common as security researchers try to recoup compensation for what often amounts to hundreds of hours in the lab turning a vague theory about a weakness into a proof-of-concept code. While shopping around vulnerabilities can sometimes be a contentious issue, it has been embraced by at least two mainstream security companies that say the practice goes a long way to making their customers safer.
"It's one thing to market your program and market the existence of it," says Terri Forslof, manager of security response for TippingPoint, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities. "It's another to try and use something like that and specifically market that vuln. If anything, it just seems kind of cheesy to me."
WabiSabiLabi's carnival barking comes almost two weeks after Roberto Preatoni, the group's founder, was among those arrested by Italian police investigating a spying scandal involving Telecom Italia. WabiSabiLabi issued a press release saying "we are confident that his innocence will be established if a case ever comes to court."
The shameless plug also comes amid what might be considered less-than-spectacular enthusiasm for WabiSabiLabi's vulnerability marketplace. In all, it records 38 auctions listed since the site went live in August. Of the 19 listings currently pending at the time of writing, only two had bids, and in each case, there was only one bid. Furthermore, seven listings were scheduled to expire in less than nine hours, and none of them had attracted a single bid.
Representatives from Switzerland-based WabiSabiLabi weren't immediately available for comment.
In all, WabiSabiLabi claims to have received more than 150 vulnerability submissions, and that raises another question: What is it doing with all of those exploits? The company says it's rejected about 40 entries because researchers used illegal methodologies such as reverse engineering of protected software to discover them.
Even still, there's a wide gulf between the remaining 110 submissions and the 38 that have been publicly brokered, and that has Forslof scratching her head about things like whether the group sells some exploits privately before listing them on its marketplace.
"When I look at that I can't say what number of those were valid, [and] what the process is to vet those out," she says. "What I'd still like to see from them is quite a bit more transparency." ®