Computer security

The bounty hunters
Jul 19th 2007
From The Economist print edition

An attempt to offer a legitimate outlet for hackers who want to earn an honest crust
Satoshi Kambayashi
HERE is a dilemma. Suppose you are a computer hacker and you discover a bug in a piece of software that, if it were known to the bad guys, would enable them to steal money or even a person's identity. It would be a feather in your cap. But feathers do not pay the rent. So how might you sell your discovery for the highest price? Asking for cash from the company that sold the buggy software in the first place sounds a bit like blackmail. The implicit threat is that if the firm does not stump up, the knowledge might end up in disreputable hands. But, in truth, it is mainly that possibility which gives the bug value in the first place. What, then, is a fair price, and who is to negotiate it?

Since economics, like nature, abhors a vacuum, a small industry of “security companies” has emerged to exploit the hackers' dilemma. These outfits buy bugs from hackers (euphemistically known as “security researchers”). They then either sell them to software companies affected by the flaws, sometimes with a corrective “patch” as a sweetener, or use them for further “research”, such as looking for more significant—and therefore more lucrative—bugs on their own account. Such firms seek to act as third parties that are trusted by hacker and target alike; the idea is that they know the market and thus know the price it will bear. Often, though, neither side trusts them. Hackers complain that, if they go to such companies to try to ascertain what represents a fair price, the value of their information plummets because too many people now know about it. Software companies, meanwhile, reckon such middlemen are offered only uninteresting information. They suspect, perhaps cynically, that the good stuff is going straight to the black market.

Last week, therefore, saw the launch of a service intended to make the whole process of selling bugs more transparent while giving greater rewards to hackers who do the right thing. The company behind it, a Swiss firm called WabiSabiLabi, differs from traditional security companies in that it does not buy or sell information in its own right. Instead, it provides a marketplace for such transactions.

Converting kudos to cash
A bug-hunter can use this marketplace in one of three ways. He can offer his discovery in a straightforward auction, with the highest bidder getting exclusive rights. He can sell the bug at a fixed price to as many buyers as want it. Or he can try to sell the bug at a fixed price exclusively to one company, without going through an auction.

WabiSabiLabi brings two things to the process besides providing the marketplace. The first is an attempt to ensure that only legitimate traders can buy and sell information. (It does this by a vetting process similar to the one employed by banks to clamp down on money launderers.) The second is that it inspects the goods beforehand to make certain that they live up to the claims being made about them.

Herman Zampariolo, the head of WabiSabiLabi, says that hundreds of hackers have registered with the company since the marketplace was set up. So far only four bugs have been offered for sale, and the prices offered for them have been modest, perhaps because buyers are waiting to see how the system will work. A further 200 bugs, however, have been submitted and are currently being scrutinised.

If such bug auctions are to succeed, they will have to overcome a number of obstacles. One is that if the seller is too clear about what he is offering, the buyer might be able to figure out what is being offered without actually paying for it. Another is that the chance of someone else discovering a bug increases with time. A hacker thus needs to sell his find quickly, which requires the verification process to be streamlined. But perhaps the most significant snag to running a bug auction is a legal one.

Jennifer Granick, a lawyer at Stanford University who has studied the area for several years, reckons that if someone using a marketplace like WabiSabiLabi's went on to commit a crime with a bug they had bought there, then the owners of that marketplace could be in trouble. Under American criminal law, those owners would have to be shown to have been acting knowingly in order for a prosecution to succeed. A civil action, however, would have to demonstrate only recklessness.

In cowboy films, the goodies wear white hats while the baddies wear black ones. Computer hackers have adopted these symbols to describe, respectively, legitimate practitioners of their art and their nefarious counterparts. In becoming the first company to establish bug auctions, WabiSabiLabi may have breathed life into a third type of cowboy, the sort that sports a grey hat. And the field of hacking, through losing its moral certitude, may have grown up a little.