[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 6 July 2007, 10:13 GMT 11:13 UK
Online auction for security bugs
Windows Vista, PA
Many hi-tech criminals covet loopholes in Windows software
Security researchers who find holes in software can now sell their findings to the highest bidder.

An online auction house has been created to bring together those who find the loopholes with the companies that can do something about them.

It aims to close the gap between the small number of bugs investigated and the huge number thought to exist.

By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of hi-tech criminals.

Hard cash

Many malicious and criminal hackers rely on loopholes in widely used software, usually Windows, to get access to the valuable information on users PCs.

There is known to be a ready market for these vulnerabilities on the digital underground and significant sums of money can be made by selling them.

In early 2006 anti-virus firm Kaspersky Labs revealed that Russian hackers had been selling the Windows WMF vulnerability for $4000 (2,000).

The loophole was offered for sale weeks before it was widely known about and long before Microsoft moved to close it.

Many criminal groups prefer to use vulnerabilities for their own ends to steal information or hijack computers rather than have any and every malicious hacker using them.

The independent auction house, called WabiSabiLabi, aims to staunch the flow of vulnerabilities to the underground by giving security researchers a legitimate marketplace for what they find.

"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," said Herman Zampariolo, head of the auction site.

He added that it could tempt many researchers to report findings they would otherwise keep quiet about. In this way it hopes to ensure many more vulnerabilities get reported.

"Very few of them are able or willing to report it to the 'right' people due to the fear of being exploited," said Mr Zampariolo.

Once a vulnerability is reported, WSLabi will confirm it is real and that it can be exploited. After this it will be placed on the auction site where it can be sold to the highest bidder or sold to just one firm.

WSLabi said it would ensure that all those who buy the vulnerabilities were legitimate.

The first vulnerabilities posted to WSLabi are selling for between 500 (340) and 2000 (1,350) euros.

Many other companies, such as iDefense and Tipping Point, run schemes that give cash rewards to security researchers who find serious loopholes in widely used software.

The Mozilla Foundation, which oversees development of the Firefox browser amongst other things, gives a t-shirt and a $500 (250) bug bounty to anyone finding a critical vulnerability in its software.

Bug hunters get big cash rewards
25 Jul 05 |  Technology
Sites exploit Windows image flaw
29 Dec 05 |  Technology
Hackers target 'legitimate' sites
20 Jun 07 |  Technology
Microsoft unveils patch package
13 Jun 07 |  Technology
FBI tries to fight zombie hordes
14 Jun 07 |  Technology
Google searches web's dark side
11 May 07 |  Technology
Malicious code rise driven by web
25 Apr 07 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific