A company called WabiSabiLabi (Wabi Sabi Labi – pronounced ‘wobby sobby lobby’) has announced that they have created an auction marketplace where security researchers and companies can buy and sell security vulnerabilities and hacks. Here’s what that means (we mean what “buying and selling security vulnerabilities means”, not what “Wabi Sabi Labi” means – although roughly speaking the Japanese ‘wabi sabi’ means respecting things which are authentic – from nature – by acknowledging their authentic beauty with the recognition that nothing lasts, nothing is finished, and nothing is perfect).
Here’s what buying and selling security vulnerabilities means: currently there are Internet security researchers around the world who are working on discovering security vulnerabilities (such as ways to hack into computer systems through holes in the software). Their work, much like any other work involving computer systems, is intellectual property. It may be hard to think of discovering a security flaw in Internet Explorer, for example, or Quicktime, as “intellectual property”, but that’s how the thinking goes. The researcher has put time and effort into banging on that particular software to find out if it has any weaknesses, and the discovery of that weakness is the researcher’s intellectual property, to do with what they will. At least, that’s the belief system on which WabiSabiLabi is banking.
Personally, we see the discovery of a security flaw to be analogous to the discovery of a new disease, to borrow from the medical world. But in the medical world, people generally pay for the discovery of a new medicine to fix the disease – not for the discovery of the disease. So why would there be a market for security flaws (the discovery of disease in a computer system)?
The primary reason, it seems, would be to compensate the security researcher for their time and effort and, if you buy it, “intellectual property”. Now, we could go off on a tangent here and argue that if they have discovered a hole in someone’s software – based on the code which that someone has created – then the researcher has actually done little more than discover something about somebody else’s intellectual property and therefore anything they find is at best a derivative work, not their own intellectual property. But we’ll leave that argument for someone like our buddies over at the Electronic Frontier Foundation.
The bottom line is that these researchers want to be compensated for their time and effort. And unlike medical researchers, whose job it is to find diseases (and cures), often times these security researchers are doing this on their own time – and it isn’t their job to find the cure.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
In fact that is where this whole thing also differs from the medical analogy – because with a disease for which there is not yet any medicine, the field to ‘fix’ the disease is wide open, and the first to market with a new drug can make a fortune. With security flaws, there is, generally, only one company who is going to be able to (easily and effectively) come up with a fix for that flaw – the company who produced the flaw in the first place. So the independent security researcher’s only hope of a payoff for all of their hard work is to either get the company in whose product they found the hole to pay them for their discovery, or to find another market.
Enter WabiSabiLabi.
But who would pay to know about newly discovered security vulnerabilities?
Well, maybe the companies in whose software the flaw has been found, although most companies who will pay for that already have a bounty program of their own, and others, such as Microsoft, have categorically stated that they will not participate in this effort to create a white market based on security blackmail (our words, but we know what they meant).
That leaves the one other market for this sort of information: the bad guys. People who want to know about these security holes so that they can exploit them before they get patched.
WabiSabiLabi claims that they are going to screen each buyer carefully. Ever so carefully. But WabiSabiLabi also has stated that they will not notify software vendors if a vulnerability relating to their own software goes up for sale – and of course they would be the natural legitimate market for such information. (In fact, well-known security researcher Greg Hoglund, of RootKit.com, considered just such a service years ago, and ultimately rejected the idea because it was impossible to be sure to whom you were selling the information – and in his service the companies whose flaws had been discovered would absolutely have been notified.)
And WabiSabiLabi also makes a big point on their site of letting folks know that they are headquartered in Switzerland – which makes them nearly impossible to touch if they are selling to the bad guys.
Certainly, at least, not before they have made a bundle selling security flaws to the highest bidder.
Wabi Sabi – nothing is perfect, nothing lasts, nothing is finished. We predict that for WabiSabiLabi, their name will become a self-fulfilling prophecy – well, two out of three ain’t bad.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
