Monday, July 9, 2007

Buy your exploits here?

Are you in the market for a previously undisclosed exploit and/or vulnerability? If so, maybe you should check out the WabiSabiLabi MarketPlace, an online exploit auction site (or not).

So far, I have only seen four exploits listed for sale with only two receiving bids. Supposedly, I can become the high-bidder on a Yahoo! Messenger 8.1 remote buffer overflow exploit for only 2000 Euro (~$2720 US).

Let’s take a look at this.

The Site

If you have used eBay or U-Bid before, you already understand how online auctions work so I won’t explain any of that.

What sets this online auction site apart from others is the commerce, previously undisclosed exploits. Upon first examination of the site it appears to be legitimate, but due to my nature I want to dig a little more.

Call me naïve, but I gotta tell ya I am a bit suspicious.

First off, I had not heard of “WabiSabiLabi Ltd.” before this encounter. Before I do business with anyone, I certainly want to know who they are and rarely will I take their word for it.

There is little or no history of the company presumably because they are a startup. DNS provides little information as it is a GoDaddy private registration. The site itself ( is hosted through California Regional Intranet, Inc. (

Let’s say for a second that I have a “zero-day” exploit that I would like to profit from, and let’s say that I am a good guy (I am!). Should I sell my work through WabiSabiLabi and trust that they will make sure it is sold to another good guy?

WabiSabiLabi FAQ:
Q: Can everybody purchase vulnerabilities from the market place?

A: No, all purchasers will be carefully evaluated before granting them access to the market platform to minimize the risk of selling the right stuff to the wrong people.

Personally, I would like a little more disclosure on “how” WabiSabiLabi will evaluate a purchaser.

Now let’s say that I am a bad guy with a zero-day exploit to sell. Should I sell my work through WabiSabiLabi and risk disclosure of my identity or should I sell it to the highest bidder within “my network”? This is a simple question to answer!

Hey, maybe I am a bad guy with money to buy a zero-day exploit. Will the exploit be worth squat after the extensive “hinting” that takes place by disclosing even trivial details on

And lastly, let’s say I am a good guy again (following me?) and I work for one of the vendors mentioned with an exploit on Would I buy? What happens if I don't buy the exploit when I could have and it turns out to be a good one that causes harm to my customers? This scenario could hurt. Tough decision, but almost sounds like blackmail by WSLabi.

There is just not enough information on for me to make the decision to disclose anything, i.e. submit any zero-day information I had on hand. I agree that security researchers need to get paid for their work as I know the work can be extremely detailed, time-consuming, and stressful. I am just not convinced that this is the place to do it. I will take a wait and see approach to this one.

You will have to make your own decision.

WabiSabiLabi Information, According to the site:
“WSLabi laboratory in Switzerland covers a large quantity of high-severity ITSEC issues through its global research network of independent security researchers and third part organizations”

Their moto: “The art of continuous improvement of imperfect security “

Their Blog:

No comments: