I've seen some interesting articles on the site, most notably this great review of it at Darknet.org.uk; but I thought I'd think this through myself a little and see if I can gleam something meaningful from the roaring sound of crickets chirping as the site bustles through. (Obviously you've picked up on my sarcasm by now?)
First, let me do a quick break-down of the stuff that's available for purchase at the site right now.
- 20 total vulnerabilities available
- 45% Windows-based
- 30% Linux-based
- 25% web application-based
- 2 vulnerabilities have been bid on
Let's face it, if eBay ran like this they would have been out of business on week 2. I'm absolutely amused with these guys who run this site. I think that the Darknet writer breaks it down with smashing pin-point accuracy when referring to the vulnerability market...
Perhaps they didn’t think the whole concept out. Most of the people that need these kind of exploits - have access to them. Those that code trade, those that don’t code steal and trade - those that have no skills..pick up the left overs.Nail hit on head. One has to ask themselves - what's the business model here? Are the folks at WabiSabiLabi marketing (or pandering) to the security companies? perhaps to the BlackHats (as unlikely as that seems)? maybe to some other crowd? What's your target market WabiSabiLabi?
It's no great revelation that a site which puts "0Day vulnerabilities" up for auction is a bit of a strange animal. If you have an 0day vulnerability, why would you risk exposing it to the world, when you can clearly make much more money selling it underground? Perhaps I've stumbled upon something here... is this a marketplace for second-rate hacks who've found some mediocre defect in some code somewhere, have no contacts to sell it to the underground, and are looking to connect with people who want to buy? Perhaps this is the target market... so let me build a quick profile of the typical seller:
- mediocre code-monkey
- no contacts to really "sell" an 0day vulnerability to the underground
- no ethics to use responsible disclosure to get it fixed through the vendor or OpenSource owner