There’s a new Switzerland based startup launching called WSLabi that is setting up shop to allow “security researchers” to sell vulnerabilities that they find in software via an auction format. Their stated goal is to become a legitimate clearinghouse for vulnerabilities, although some may say it’s just organized blackmail.
There are only four vulnerabilities listed currently, including a Yahoo Messenger client side bug described as (see image above) “Remotely exploitable by any user in the victim’s address book (some interaction from the victim is required). Arbitrary code execution possible but non-trivial. Detailed analysis and DoS PoC available.” The opening bid is 2,000 Euros.
The product FAQs state that all purchasers will be “carefully evaluated” to “minimize the risk of selling the right stuff to the wrong people.” But there is only one appropriate buyer for most vulnerabilities (Yahoo, in the case above); it’s unclear who else should be authorized to purchase such information.
The company says that they are simply trying to take activity that’s happening underground into a legitimate marketplace. Perhaps, but this thing doesn’t seem to be fully baked.