Recently, WabiSabiLabi, a new vulnerability auction site launched and hit the trade press and blogosphere hard. It is interesting these days to see how "in vogue" economics impacts the security world, and certainly auctions are interesting "experiments."

Today, there are six vulnerabilities active on the site, with the highest bid for a single vulnerability at 200 euros, or about $280.

There are two types of people who may use this auction site – people who want to exploit the vulns (Exploiters) and people who want to fix the vulns (Fixers).

Exploiters

Exploiters want to exploit software in ways that provide maximum benefit with minimum cost. The essential equation for exploiters is: Exploit Costs {skill, $$$} + Exploit Risk {p – getting caught x penalty} < Exploit Benefits {number of victims, value of compromise}

The first consideration, then, is the question of whether Exploiters can get a vulnerability (and, presumably, PoC exploit) cheaper from the auction site than finding a comparable one themselves (or otherwise get one on the black market). This consideration means that Exploiters on the auction site are likely to be lesser-skilled (perhaps new) individuals with money to spend. If there are a number of these types of people, then the costs of individual vulnerabilities will increase.

A secondary cost consideraton for Exploiters is the likelihood of getting caught. At least on its face, a public auction would appear to increase the possibility of getting caught. There needs to be some sort of track record for the transactions taking place (buyer-seller plus whoever is paying wabisabilabi) and in any case, simple awareness of the vulnerability increases the level of scrutiny around the target, either generally or specifically, to create more "evidence" should a compromise be detected.

The Exploiter benefits appear even more significantly impacted on the negative side by this auction. If value is a function of the number of sites compromised and whatever they can do at those sites, then an Exploiter would want to compromise more people over more time with more exclusivity. In all cases, it appears that the auction site would likely reduce the number of vulnerable sites over time and increase the likelihood that someone else will find (or be sold) the vulnerability.

Fixers

Fixers want vulnerabilities so they can fix them, either in commercial software for everyone, or privately because they are extremely risk averse. It may be worthwhile for software manufacturers to purchase vulnerabilities because it is an extremely inexpensive (perhaps) way to find them and keep them private (perhaps) until such time as they can be worked into a fix. At least with financial transactions, the bugfinders should not then have hissy-fits like the one last week. This could ultimately work out to be extremely cheap labor for software companies, and so worth it in that regard. To the extent that the vulnerabilities become highly-priced, then at least the vendor has some sense of where to focus its resources to find the vuln concurrently.

Private fixers are much better off simply hardening their environments using techniques that don’t require knowledge of specific vulnerabilities.

Net Impact on Risk

It is too early to tell what the net impact is on overall risk. If prices are high enough that it encourages bugfinders to build businesses around public, after-market discovery and auctioning of vulns, then it will likely increase overall risk. (Some younger researchers may see this as a way to make their name while still making a little money – essentially a loss leader for their services).

On the other hand, the public availability of information on prices (which at least today seem like an extremely low hourly rate) may prompt wannabe bugfinders to look for other better-paying jobs with vendors.

I am pretty much ambivalent to auction sites at this stage, but I will make a few predictions just for fun:

1. No more than 100 vulnerabilities will have successfully been auctioned off at the website by the end of the year;
2. Maybe 30-40 people will have participated in the auctions;
3. The site will essentially go dormant or cease to exist by the end of 2008.
4. If it doesn’t go dormant, it will face at least one legal challenge by the end of 2009.

I trust someone will let me know if/when I make a fool of myself with these predictions.