Security
Subscribe to this site with RSS
WabiSabi Labi aims to be more than an eBay for zero-days
Page 2 of 3
WabiSabi Labi now hopes to combine its efforts to see researchers compensated for the work they do with aspirations of being a security vendor in its own right.
Related links
No results were found for your search.
Your query is too restrictive.
You might want to try: security
Story tools
Sponsored by:
E-Mail article
|
|
Print article
|
|
Contact author
|
|
AIM article
|
del.icio.us |
Reddit
|
Digg
|
Stumble
|
Slashdot It!
|
Its planned intrusion detection system, a tool that monitors a network or server for suspicious activity, will be based on a database of zero-days sold through the company's auction site, and researchers will receive continuing payments when vulnerabilities they discover are included, Preatoni said. The only vulnerabilities that won't be included are those that are purchased using the exclusivity option.
Getting to the point where WabiSabi Labi's zero-day database contains enough signatures for an intrusion detection system will take a couple of years, and requires the company to convince security researchers to sell vulnerabilities they discover through its auction site.
That won't be easy. WabiSabi Labi executives face an uphill struggle to win over skeptics who believe ethical disclosure is still the best way to report software vulnerabilities and protect users.
"By releasing this zero-day information you put customers at risk," said Alexander Kornbrust, the managing director of Red Database Security GmbH and a researcher credited with uncovering dozens of security holes in Oracle Corp. databases.
Others are worried about how zero-day sales will affect public perceptions of security researchers and hackers.
"Having a zero-day eBay is dangerous for the community because it will enforce the idea that hackers are criminals," said Alessio Pennasilico, a security evangelist at Alba S.T. S.r.l. who has uncovered vulnerabilities in the software used to control industrial equipment found in factories and power plants.
"I will never buy or sell a zero-day on a site like that," Pennasilico said.
But some people are willing to give WabiSabi Labi a try, at least under certain circumstances.
"If the vulnerability affects an open-source project, I wouldn't sell it. But if a vulnerability affects a big commercial vendor, and I know that vendor is usually not responsive on security bugs, then I would probably sell it," said Andrea Barisani, chief security engineer at Inverse Path Ltd.
The IDG News Service is a Network World affiliate.
• Dell puts Linux and Atom in Vostro PCs
• Mozilla names best Firefox 3 add-ons
• Torvalds: Fed up with the 'security circus'
• Dell Latitude ON - big win for Linux
• Open source advocates hail appeals court ruling
LinuxWorld Conference and Expo San Francisco, August 4-7, 2008.
Linux Plumbers Conference Portland, OR, Sept. 16-19, 2008.
FreedomHEC Santa Monica, November 8-9, 2008.
Featured White Papers