- 'Unhackable' Android phone can be hacked
- ATM hack gives cash on demand
- Black Hat gets its video feed hacked
- Happy SysAdmin Day (despite the pay)
- FBI rings organizers over Defcon contest
Page 2 of 2
"By releasing this zero-day information you put customers at risk," said Alexander Kornbrust, the managing director of Red Database Security GmbH and a researcher credited with uncovering dozens of security holes in Oracle Corp. databases.
Others are worried about how zero-day sales will affect public perceptions of security researchers and hackers.
"Having a zero-day eBay is dangerous for the community because it will enforce the idea that hackers are criminals," said Alessio Pennasilico, a security evangelist at Alba S.T. S.r.l. who has uncovered vulnerabilities in the software used to control industrial equipment found in factories and power plants.
"I will never buy or sell a zero-day on a site like that," Pennasilico said.
But some people are willing to give WabiSabi Labi a try, at least under certain circumstances.
"If the vulnerability affects an open-source project, I wouldn't sell it. But if a vulnerability affects a big commercial vendor, and I know that vendor is usually not responsive on security bugs, then I would probably sell it," said Andrea Barisani, chief security engineer at Inverse Path Ltd.
But Barisani, who discovered a vulnerability that allows false messages to be injected into satellite navigation systems, knows the people behind WabiSabi Labi personally and trusts them. He's quick to acknowledge others may not share that trust.
"If I'm a random researcher, and I know I have a very important vulnerability -- and ideally you would sell only vulnerabilities that are very important -- my primary concern would be not to leak that vulnerability. Since most people in the security industry are very paranoid, I wouldn't trust a middleman," Barisani said.
Preatoni rejects the notion that selling vulnerabilities through WabiSabi Labi puts users at risk, saying buyers are carefully vetted to prevent zero-days from falling into the hands of criminals. But he acknowledges the company must work hard to win over security researchers by ensuring they get paid for their work and that agreements over how vulnerabilities should be handled are respected.
"It's all a matter of trust and we have a long road ahead. We have to build that trust," Preatoni said.
Rss FeedRss Feed
The Connected Enterprise
Comment