A group of security professionals launched this week what they hope will become the eBay of security research. The Swiss-registered company, WSLabi, boasts that its online portal will allow researchers to sell vulnerabilities they have discovered to software companies and other interested parties through an open market.
What exactly describes a business? Well, you probably need a market, which means the existence of buyers and sellers. It's not very difficult to find reasons that there are sellers, but what is the motivation for buyers? If you read the justifications of these vulnerability (re-)sellers, it's about selling these informations to governments, security researchers, etc.But as we know, that the real big money currently is made by botnets, who could be interested most in buying relatively cheap entries into millions of PCs? If you can rent your bots for a couple of thousand dollars a week, would that price for the vulnerability not immediately vanish?
Or is this a completely wrong approach to he topic? Do those activities improve security? Do they help someone, if not the bad guys?
See also Rogers Blog entry to this topic:http://blogs.technet.com/rhalbheer/archive/2007/07/06/vulnerability-auction.aspx
What do you think of this kind of "business"? Perhaps we as Microsoft have a distorted view to this?Or is it as it is? Do we have to live with those kind of businesses, as they are not illegal (are they)?