Security Goes on Auction: “Do I hear $450?”

About a month ago, a Swiss firm launched an online auction site (aka Wabisabilabi) that claimed to help bring the world "one step closer to zero risk." Now, the interesting thing about this online auction site and it's auspicious claims to be doing things for the good of all is that what it doesn't auction off is security tools or tips, but what Wabisabilabi actually does is auction off security exploits.

Claiming to be a security research marketplace, this site is primarily for software developers interested in spotting security vulnerabilities before hackers get to them. I've mentioned this to a number of IT professionals and without fail, their jaws have dropped and they've said something like, "well, that's kind of scary."

Indeed it is "kind of scary," and in fact, you don't need much of an imagination to picture hackers signing on "hackbuyer_3" and bidding on the latest security weakness in Microsoft Vista or the seemingly ubiquitous iPhone. In fact, for those involved in physical security, we're just lucky this hasn't given common crooks and would be attackers an idea to start some sort of physical security auction site where thugs and repeat criminals could shop for things like "high-rise facility access cards" or "alarm codes to 3 local businesses". Do I hear $450? I have $450. $500? $500? I have $500. Do I hear $550? $550? No $550? Then $500, going once, going twice, the crime boss with gold rings.

Admittedly, WSLabi says that they will be only allowing the site to be used by people who could actually buy the software cracks for positive purposes (perhaps this would be people who wrote the software, or perhaps anti-malware vendors, or security gateway developers), and they add that there team will verify the weakness before it's put up for auction. The goal, they say, is so that security researchers will actually be paid appropriately for their work, rather than selling it to person with ill intentions for additional money. If, of course, they can do this effectively and get the right buyers linked with the right sellers, then I think they're onto something, but if just one mischievous buyer takes advantage of Wabisabilabi, then the deck of cards will tumble.

Now, most of you reading this blog are physical security professionals, but clearly there's been a move in our industry such that software is integral into all systems, whether it's recording video surveillance or even managing an alarm system. And with software comes vulnerabilities, and at that level, Microsoft Vista isn't that much different from your integrated access control system. Be vigilant.