By Andy Greenberg
In the summer of 2005, Charlie Miller was working in his living room
when he discovered a hackable vulnerability in a common species of
server software. Miller knew he had found something dangerous. But until
he offered his prize to a government agency five months later, he had no
idea just how much it was worth.
"I asked for $80,000," he says. "When the guy on the phone agreed
immediately without consulting his boss, I knew I should have asked for
In fact, the unnamed agency eventually bargained the price for the
information, an exploitable bug in the Linux server program Samba, down
to $50,000. And what did the agency do with its newly purchased security
hole? Miller received his check and didn't ask questions.
"They didn't buy it in order to patch it," Miller says. "I can speculate
that it wasn't exactly used for the common good."
Miller's experience, described in a paper he presented to the Workshop
on the Economics of Information Security at Carnegie Mellon last June,
highlights a growing problem in computer security. When the industry's
ever-larger ranks of independent researchers find exploitable
vulnerabilities in software, they're forced to price their discoveries
on an ad hoc basis with no sense of fair market value. And even worse,
independent researchers are often tempted to sell to the highest bidder,
not the buyer most likely to use the data responsibly, or even one whose
identity and motives are clear.
Today, several IT security companies are moving into that chaotic
marketplace to broker a more equitable exchange of software bugs for
dollars. These vulnerability traders argue that they're giving hackers a
less harmful avenue to profit from their skills. But they also raise
questions about where to draw the line in legitimizing an industry that
some security professionals say borders on extortion.
The newest market-maker in the IT security field has a strange name:
WabiSabiLabi. But the Chiasso, Switzerland-based company has a serious
purpose: It offers an eBay-style Web auction platform for security bugs.
Launched last Tuesday, the site is already auctioning off four
exploitable software flaws, including one in Yahoo!'s instant messenger
program, which has a minimum bid of 2,000 euros.
Even in a seemingly trivial program like Yahoo! Messenger, a
vulnerability can be used to steal data from corporate or government
servers, says WabiSabiLabi's Chief Executive Herman Zampariolo. He says
the company performs background checks on all buyers to ensure that they
have no record of criminal hacking. Bugs sold on the site are intended
only for legitimate purposes like penetration testing.
Zampariolo notes that a small fraction of the site's 34,000 unique
visitors have come from the U.S. military. Software companies themselves
can also buy information about flaws in their own programs, but rarely
do, for fear that offering a bounty would only draw more hackers to
WabiSabiLabi, whose name combines a Japanese word for "imperfection" and
a German abbreviation for "laboratory," tests each vulnerability to
ensure it fits the seller's description, and in six months plans to
begin charging a 10% commission for its services.
"The IT security market is totally based on finding vulnerabilities,"
says the company's strategic director, Roberto Preatoni. "But the
industry doesn't properly value independent researchers. They're told
that to be ethical, they must disclose their findings for free. It's
like blackmail. We believe they should be able to profit from their
So does Adriel Desautels, whose company, Netragard, also buys and sells
vulnerabilities, sometimes paying researchers as much as $200,000 for a
single flaw. Desautels performs background checks on all clients and
sees his company as a healthy alternative to the black market, which is
always hungry for new ways to steal corporate secrets and credit card
But Dave Aitel, chief technology officer of another vulnerabilities
broker called Immunity, says that security professionals will never be
able to offer hackers as much money for software bugs as the bad guys.
"It's hard to say no if the black market offers you $300,000," Aitel
says. "But with us, at least you get a fair valuation and you know that
we're bound by the law. The mafia tends to break your knees if they want
a cheaper price."
In the eyes of some security professionals, Immunity and Netragard
themselves are far from saintly: Neither company reports all of its
vulnerabilities to the software's manufacturer upon acquiring them,
since doing so would devalue the bugs they purchase. In other words, the
vulnerabilities they buy stay often vulnerable, and so do the software's
3Com's Zero-Day Initiative, by contrast, always reports its bug-buying
immediately. That means weaknesses are quickly patched, making users
more secure but reducing the price the company can pay hackers. The
Zero-Day Initiative won't say how much it offers for each vulnerability,
but Miller estimates that the company pays a maximum of around $10,000
per flaw. That's not enough to have kept him from looking to more
generous--and less virtuous-- buyers, Miller says.
According to IBM's X-force Research security team, that's one more
reason that buying bugs, even with the intention of reporting them, is
only encouraging an industry that thrives on extortion. "It's a false
economy," says X-force's Team Manager David Dewey.
Dewey sorts hackers into three types: Blacks hats, white hats and gray
hats. "The black hats will always sell to the highest bidder, which is
the underground," he says. "The white hats aren't motivated by money. So
the best you can do with a bug bounty program is sway some of the grays,
at the expense of security technology as a whole."
Dewey argues that the money spent buying bugs from hackers could be
better invested in full-time research teams: The only way to control a
freelance hacker, he says, is to give him a job. But as the IT security
field matures and becomes more mainstream, Dewey admits that more
independent researchers than ever are flooding the software
So how to keep them from selling their findings to the criminal
"It can't be prevented," says Dewey. "As long as there are talented
researchers and someone to pay them, it's going to keep happening. We
just have to find the bugs first."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com