Over the last couple of years, we've seen the full spectrum of disclosure and "research" portals arrive on scene; examples stem from the Malware Distribution Project to 3Com/TippingPoint's Zero Day Initiative. Both of these examples illustrate ways of monetizing the output trade of vulnerability research.
Good, bad or indifferent, one would be blind not to recognize that these services are changing the landscape of vulnerability research and pushing the limits which define "responsible disclosure."
It was only a matter of time until we saw the mainstream commercial emergence of the open vulnerability auction which is just another play on the already contentious marketing efforts blurring the lines between responsible disclosure for purely "altruistic" reasons versus commercial gain.
Enter Wabisabilabi, the eBay of Zero Day vulnerabilities.
This auction marketplace for vulnerabilities is marketed as a Swiss "...Laboratory & Marketplace Platform for Information Technology Security" which "...helps customers defend their databases, IT infrastructure, network, computers, applications, Internet offerings and access."
Despite a name which sounds like Mushmouth from Fat Albert created it (it's Japanese in origin, according to the website) I am intrigued by this concept and whether or not it will take off.
I am, however, a little unclear on how customers are able to purchase a vulnerability and then become more secure in defending their assets.
A vulnerability without an exploit, some might suggest, is not a vulnerability at all -- or at least it poses little temporal risk. This is a fundamental debate of the definition of a Zero-Day vulnerability.
Further, a vulnerability that has a corresponding exploit but without a countermeasure (patch, signature, etc.) is potentially just as useless to a customer if you have no way of protecting yourself.
If you can't manufacture a countermeasure, even if you hoard the vulnerability and/or exploit, how is that protection? I suggest it's just delaying the inevitable.
I am wondering how long until we see the corresponding auctioning off of the exploit and/or countermeasure? Perhaps by the same party that purchased the vulnerability in the first place?
Today in the closed loop subscription services offered by vendors who buy vulnerabilities, the subscribing customer gets the benefit of protection against a threat that they may not even know they have, but for those who can't or won't pony up the money for this sort of subscription (which is usually tied to owning a corresponding piece of hardware to enforce it,) there exists a point in time between when the vulnerability is published and when it this knowledge is made available universally.
Depending upon this delta, these services may be doing more harm than good to the greater populous.
In fact, Dave G. over at Matasano argues quite rightly that by publishing even the basic details of a vulnerability that "researchers" will be able to more efficiently locate the chunks of code wherein the vulnerability exists and release this information publicly -- code that was previously not known to even have a vulnerability.
Each of these example vulnerability service offerings describes how the vulnerabilities are kept away from the "bad guys" by qualifying their intentions based upon the ability to pay for access to the malicious code (we all know that criminals are poor, right?) Here's what the Malware Distribution Project describes as the gatekeeper function:
Easy; it keeps most, if not all of the malicious intent, outside the gates. While we understand that it may be frustrating to some people with the right intentions not allowed access to MD:Pro, you have to remember that there are a lot of people out there who want to get access to malware for malicious purposes. You can't be responsible on one hand, and give open access to everybody on the other, knowing that there will be people with expressly malicious intentions in that group.
ZDI suggests that by not reselling the vulnerabilities but rather protecting their customers and ultimately releasing the code to other vendors, they are giving back:
The Zero Day Initiative (ZDI) is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com later provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
As if you haven't caught on yet, it's all about the Benjamins.
We've seen the arguments ensue regarding third party patching. I think that this segment will heat up because in many cases it's going to be the fastest route to protecting oneself from these rapidly emerging vulnerabilities you didn't know you had.