Finally a Marketplace Site for Security Research

04/07/2007 Written by Zone-H

wslzonehA rev­o­lu­tion in the way secu­rity research is han­dled and reported has occurred! WSLabi (http://​www​.wslabi​.com), a neu­tral ven­dor inde­pen­dent Swiss lab­o­ra­tory, has launched a new inter­na­tional secu­rity research exchange.

This exchange will cre­ate a por­tal where researchers, secu­rity ven­dors and soft­ware com­pa­nies can inter­act in an open mar­ket to enable researcher’s to obtain the cor­rect value for their find­ings. The exchange will become a global data­base of every IT secu­rity research ever found.

Accord­ing to Her­man Zam­par­i­olo, CEO of WSLabi, “We decided to set up this por­tal for sell­ing secu­rity research because although there are many researchers out there who dis­cover vul­ner­a­bil­i­ties very few of them are able or will­ing to report it to the ‘right’ peo­ple due to the fear of being exploited. Recently it was reported that although researchers had ana­lyzed a lit­tle more than 7,000 pub­licly dis­closed vul­ner­a­bil­i­ties last year, the num­ber of new vul­ner­a­bil­i­ties found in code could be as high as 139,362 per year.

Our inten­tion is that the mar­ket­place facil­ity on WSLabi will enable secu­rity researchers to get a fair price for their find­ings and ensure that they will no longer be forced to give them away for free or sell them to cyber-​criminals.” Researchers can sub­mit their find­ings to the exchange once they have reg­is­tered. WSLabi will then ver­ify the research by ana­lyz­ing and repli­cat­ing it at their inde­pen­dent test­ing laboratories.

They will even­tu­ally then pack­age the find­ings with a Proof of Con­cept; this can then be sold to the mar­ket­place via three meth­ods from the mar­ket­place platform:

• Start­ing an auc­tion, pre­de­fined start­ing price

• Sell­ing to as many buy­ers as pos­si­ble at a fixed price

• Sell­ing it exclu­sively to one buyer

WSLabi will also help researchers to design the best busi­ness model (e.g. sell­ing schemes, start­ing sell­ing price etc.) which will enable them to max­i­mize the value of their find­ings. For exam­ple, a piece of research that would cur­rently sell to one com­pany on an exclu­sive basis for $300 — $1000 could sell for ten to twenty times more than this amount using the por­tal.

Roberto Preatoni, WSLabi’s Strate­gic Direc­tor, com­ments “Before we have even launched the mar­ket­place there are already three new vul­ner­a­bil­i­ties avail­able from secu­rity researchers. The vul­ner­a­bil­ity research is asso­ci­ated with Linux, Yahoo! Mes­sen­ger client and Squir­rel­Mail. This shows that this ven­ture is fill­ing a gap within the secu­rity research mar­ket, a place where secu­rity researchers are con­fi­dent that they will get the right value for their find­ings”.

Both researchers and buy­ers will have to iden­tify them­selves to WSLabi to ensure they are legit­i­mate. Researchers can­not sub­mit secu­rity research mate­r­ial which comes from an ille­gal source or activ­ity. Buy­ers will also be care­fully vet­ted before being granted access to the auc­tion plat­form so that the risk of sell­ing the ‘right stuff’ to the wrong peo­ple is min­i­mized. The mar­ket­place will be free to use for the first six months for both researchers and buyers.

Even though all par­ties will have to iden­tify them­selves to WSLabi, no per­sonal infor­ma­tion will ever be dis­closed or held in the pub­lic domain. Each buyer and seller will have a nick­name that they will trade under. The per­sonal data along with the full details of the vul­ner­a­bil­i­ties will not be kept on the web­site data­base but will be held on a sep­a­rate and secure sys­tem. The auc­tion site will only show the nick­names of the seller along with an overview of the vul­ner­a­bil­ity. To obtain full details the pur­chaser will have to pur­chase the research.


About WSLabi (www​.wslabi​.com)

WSLabi, a Swiss mar­ket­place and Lab for Secu­rity Research Exchange (WSLabi), has been founded by a group of secu­rity pro­fes­sion­als who were unsat­is­fied by the way zero-​days research is han­dled and secu­rity researchers are rewarded. The com­pany will facil­i­tate sale/​purchase of Secu­rity Research by pro­vid­ing a secure mar­ket envi­ron­ment to max­i­mize the secu­rity researcher’s reward.

For more infor­ma­tion or inter­views con­tact:

Darshna Kamani
Eskenzi PR Ltd.
++44(0)20 7183 2834

Share this content: