Robert Preatoni, WabiSabiLabi's strategic director, was surprised by the invitation to speak at Microsoft's exclusive Blue Hat hacker summit last week. And by most accounts, his reception was far from chilly, despite the controversy that's swirled around the online auction site for buyers and sellers of vulnerabilities ever since it launched. (See Microsofties Check Out Vulnerability Auction Site at Blue Hat .)
It helped that most of the crowd was young, open-minded Microsoft security folks. Preatoni did get a few tough questions from Microsoft executives, though, with one suggesting that WSLabi should be more transparent and publish its vulnerability acceptance policy, Preatoni wrote in the WSLabi blog. "Suggestion taken Sir, we'll do it," he says.
But whether approval from Microsoft's hacker-friendly-by-design Blue Hat crowd will help WSLabi gain acceptance by the security industry as a truly legitimate and safe way of selling bugs is unclear. Even proponents of full disclosure worry that WSLabi can't truly vet who's using its eBay-style auction.
The real question is can WSLabi's business model work? Last week, I was surprised to find that there was a grand total of zero bids on the 15 zero-day vulnerabilities that sat on the block. As of today, however, there's been an increase in activity -- four additional bugs are up for sale, and a handful of bids have been placed on four different bugs, including two of the newly posted ones.
Preatoni said in an interview last week that the site has transacted eight vulnerabilities so far. WSLabi gets a 10 percent cut from each sale, and so far, bugs have sold anywhere from between a few hundred euros to 5,000 euros.
The bottom line is that regardless of whether WSLabi gets the blessing of any security vendors -- including Microsoft -- its survival really still comes down to actual transactions on the online auction site.
Kelly Jackson Higgins, Senior Editor, Dark Reading
Microsoft Corp. (Nasdaq: MSFT)