Found A Security Bug? Get Paid!

Wabi SabiLabi is a new auction site where researchers can legally make money from the software security flaws they uncover.

A new online auction house has been launched, but it won’t find itself competing with eBay.   Wabi SabiLabi has a very specialized function. It brings together researchers and hackers who find security flaws in software with the companies who can fix them, allowing the researchers to be paid for their work – as well as making the Internet a safer place.   There’s been a strong criminal market for the vulnerabilities, which can be used to access information on PCs. Just last year it was revealed that Russian hackers were selling the Windows WMF vulnerability for $4,000, several weeks before researchers discovered it and before Microsoft issued a patch to close it.   It’s hoped that the new venture means that researchers will be more inclined to report the vulnerabilities they discover – and also that many more will be reported than is currently the case.   “Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals,” said Herman Zampariolo, head of Wabi SabiLabi.   The company will check every reported vulnerability to ensure it exists. It will then be placed on the auction site and sold to the highest bidder – but Wabi SabiLabi will carefully vet each buyer. The first vulnerabilities on the site were selling for anywhere between $700 to $2,700.   Other companies do give cash rewards to researchers who find vulnerabilities, but this is the first time such information has gone to auction.