A Swiss software security research company, WabiSabiLabi, is establishing an online auction site to allow security researchers to auction off discoveries of software vulnerabilities. In their press release, they said:
Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.
Yes, they will screen the bidders in the effort to determine that they aren’t “cyber-criminals,” and they will test reported vulnerabilities before allowing an item to be put up for auction. The Washington Post described vulnerability researcher Dino Dai Zovi as excited about the vulnerability auction service:
“I can see this service creating much more incentives for researchers to find flaws,” Dai Zovi said. “Not everyone is willing to spend 20 to 40 hours looking for vulnerabilities in software just to receive a little thank-you note in Microsoft’s security advisories.”
The discovery of software vulnerabilities provides something of the nature of a network or club good. Presumably the software vendor – the provider of the initial good or service around which the network grows – would have an incentive to pay for acquisition of this information so as to put out a better product. But if the standard offer of payment is “a little thank-you note,” perhaps the existing market for such intellectual property is not yielding competitive prices.