With much press release fanfare, WabiSabiLabi has announced that it is to be a marketplace for exploit development.
Some particularly funny mentions:
Q: I don’t want to give you my personal data. Is there any other way I can partecipate to the marketplace?
Q: What is your ethical disclosure policy?
A: The system introduced by “ethical disclosure” has been historically abused by both vendors and security providers in order to exploit the work of security researcher’s for free. This happens only in the IT security field as for example, nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy.
In this view, WabiSabiLabi has a not-for-free-disclosure policy, explicitly aiming to reward researchers. The only free information available to both vendors and public will be the general information on each piece of security research listed on the market place, which will be enough to understand the issues introduced by each security research, without disclosing any sensible technical detail.
However in a pure Swiss tradition of neutrality and given the fact that we don’t own the intellectual properties of the submitted security researches, we let its owner decide if the vendor should be notified or not. This information will be included in the marketplace vulnerability description.
Good luck, geniuses.