Paying for hacking tools

WabiSabiLabi Ltd, a Swiss company rolled out an interesting website that allows users to buy security vulnerabilities for unpatched software solutions. Although it might sound like some hot goodies for hackers, the owners sustain the flaws can be also bought by the security
companies or even by the parent firms in order to fix the programs. At this time, there are only 4 vulnerabilities for sale with prices between 500 euros and 2000 euros. There are only 2 bids for a Linux kernel memory leak and for an "unpatched SQL Injection vulnerability in MKPortal."

This site might represent a dangerous source of vulnerabilities especially for hackers because they would be able to attack a certain computer easier than before. For example, the site sells a Yahoo Messenger 8.1 security flaw for 2.000 euros, enabling hackers to attack an affected system without losing time when searching for vulnerabilities.

"Nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy," the WabiSabiLabi Web site mentions according to PC World.

However, the website raises concerns from the security companies because they are afraid of upcoming exploitations of unpatched flaws. "It's going to be eBay for vulnerabilities. We're looking at the potential of cyber warfare coming up. Now we're going to peddle vulnerabilities in a winner-takes-all auction. How do we know who's good and who's bad when we do this?" David Perry from Trend Micro Inc. said for the same source.

In the past iDefense Labs also paid for new vulnerabilities but it was only a contest meant to bring unpatched security flaws into spotlights. The prizes were quite attractive, numerous security experts joining the competition for the big awards offered by iDefense Labs.