Constitutionally protected speech -- or criminally punishable blackmail?
Volokh, Eugene
VOLOKH at law.ucla.edu
Fri Jul 13 10:03:43 PDT 2007
Or, to be precise, which would it be if it were done in the
U.S.; presumably the answer in this case would come under Swiss law.
http://www.washingtonpost.com/wp-dyn/content/article/2007/07/12/AR200707
1201278.html
Site Plans to Sell Hacks to Highest Bidder
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, July 12, 2007; 2:51 PM
A Swiss Internet start-up is raising the ire and eyebrows of the
computer security community with the launch of an online auction house
where software vulnerabilities are sold to the highest bidder.
The founders of WabiSabiLabi.com (pronounced wobby-sobby-lobby) say they
hope the service presents a legitimate alternative for security
researchers who might otherwise be tempted to sell their discoveries to
criminals.
Several established vulnerability management companies already purchase
information about software flaws from researchers, yet the terms of
those deals are private and generally set by the companies. Letting all
interested parties bid on security vulnerabilities in an "eBay"-style
auction assures that researchers receive the fair market value for the
work they do in finding the flaws, said Herman Zampariolo,
WabiSabiLabi's chief executive.
"Without an open marketplace, it is impossible to know just how much
this intellectual property is worth, and while the free market is not
the most perfect way to discover that, it's a good proxy," Zampariolo
said. "Sure, lots of companies are setting figures for what they think
vulnerabilities are worth, but a majority of researchers are getting far
less than what their information is worth, and that's scandalous." ...
Zampariolo said the company thoroughly screens all potential sellers and
buyers, requiring proof of identification, articles of incorporation,
and even bank account information from all parties involved. For the
first six months of operation, the service will be free, after which the
auction house plans to take a 10 percent cut of the final selling price
of a vulnerability. Security flaws up for auction that are not
designated by the seller as "exclusive" for the buyer will be shared
among a vulnerability alert club to which the company will sell
access....
"I can see this service creating much more incentives for researchers to
find flaws," [researcher Dino] Dai Zovi said. "Not everyone is willing
to spend 20 to 40 hours looking for vulnerabilities in [Microsoft
Windows] software just to receive a little 'thank you' note in
Microsoft's security advisories." ...
It is unclear whether any major software vendors would bid on
vulnerabilities in their own software. Microsoft has emphatically and
publicly stated under no circumstances would it ever buy vulnerability
research. Mozilla, the maker of the Firefox Web browser, offers a $500
"bug bounty" for each vulnerability privately reported to the
company....
More information about the Conlawprof
mailing list