 Many hi-tech criminals covet loopholes in Windows software |
An online auction house has been created to bring together those who find the loopholes with the companies that can do something about them.
It aims to close the gap between the small number of bugs investigated and the huge number thought to exist.
By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of hi-tech criminals.
Hard cash
Many malicious and criminal hackers rely on loopholes in widely used software, usually Windows, to get access to the valuable information on users PCs.
There is known to be a ready market for these vulnerabilities on the digital underground and significant sums of money can be made by selling them.
In early 2006 anti-virus firm Kaspersky Labs revealed that Russian hackers had been selling the Windows WMF vulnerability for $4000 (£2,000).
The loophole was offered for sale weeks before it was widely known about and long before Microsoft moved to close it.
Many criminal groups prefer to use vulnerabilities for their own ends to steal information or hijack computers rather than have any and every malicious hacker using them.
The independent auction house, called WabiSabiLabi, aims to staunch the flow of vulnerabilities to the underground by giving security researchers a legitimate marketplace for what they find.
"Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," said Herman Zampariolo, head of the auction site.
He added that it could tempt many researchers to report findings they would otherwise keep quiet about. In this way it hopes to ensure many more vulnerabilities get reported.
"Very few of them are able or willing to report it to the 'right' people due to the fear of being exploited," said Mr Zampariolo.
Once a vulnerability is reported, WSLabi will confirm it is real and that it can be exploited. After this it will be placed on the auction site where it can be sold to the highest bidder or sold to just one firm.
WSLabi said it would ensure that all those who buy the vulnerabilities were legitimate.
The first vulnerabilities posted to WSLabi are selling for between 500 (£340) and 2000 (£1,350) euros.
Many other companies, such as iDefense and Tipping Point, run schemes that give cash rewards to security researchers who find serious loopholes in widely used software.
The Mozilla Foundation, which oversees development of the Firefox browser amongst other things, gives a t-shirt and a $500 (£250) bug bounty to anyone finding a critical vulnerability in its software.