There are many ways vulnerability information can get out to the industry but a controversial new site, auctioning such information to the highest bidder, may be the wave of the future.

The auction service, called WabiSabiLabi, lets potential sellers and buyers connect eBay-style, with timed bidding periods and minimum starting prices. Founders of the wslabi.com site say their auction house serves the researchers who discover vulnerabilities and often don’t reap monetary rewards for their time and talent.

The business model is based on a practice that eBay shut down 16 months ago saying it promoted illegal activity. At the recent Black Hat show, published reports stated that 88% of respondents to an online poll said using such sites is dangerous. While it is accepted that researchers deserve to be paid for their work, selling to the highest bidder is frowned upon.

Click to see: What's a vulnerability worth?

WabiSabiLabi disagrees, saying its e-marketplace, where any qualified buyer can bid, will actually discourage those who discover vulnerabilities from selling them on black markets to criminals who try to turn them into money.

The company says it checks out buyers and sellers before they can trade. “We are very aware about the risks of selling vulnerabilities, and this is why we subject buyers to deeper scrutiny, to minimize the risk of selling the wrong information to the wrong people,” WabiSabiLabi says in its ethics statement. “We require non-anonymity from buyers and sellers alike. The stakes are just too high at this point in history.”

Even so, the marketplace, which started business six weeks ago, is being eyed cautiously by entities dedicated to eliminating vulnerabilities quickly to avoid criminal exploitation.

“I don’t think it’s necessarily good for the community,” says Jason Greenwood, the general manager of VeriSign’s iDefense team, which pays bounties — sometimes tens of thousands of dollars — to researchers who discover vulnerabilities. “It will increase the perceived value of vulnerabilities, and the good guys already have trouble competing with the money you can get on the black market.”

"There's a real danger that a number of these vulnerabilities will be purchased by buyers who do not turn them over to the vendors," says Terri Forslof, manager of security response for Tipping Point. "Once a vulnerability is turned over to a vendor its value starts to depreciate immediately. If someone paid lots of money for a vulnerability — say $75,000 to $100,000 — I guarantee they're not giving it to the vendor. Otherwise they've wasted their money."