Last year, Roger Halbheer, blogged couple of times about WabiSabiLabi. Roger questioned the world in his post that whether it is ethical to sell the exploits openly to the highest bidder?
In my opinion i think it is completely unethical to sell the exploits openly. WabiSabiLabi might be supporting the security researchers in rewarding them for their creative work but are they selling the exploits to the right people? The people who are buying the exploits might not have right motive? They might target the companies who are vulnerable to that exploit (most likely they will be vulnerable) and cause huge financial loss? These were the questions which Roger were looking answers for last year.
On WabiSabiLabi website they have mention:
Wabi-sabi is the perfect term to represent the implicit imperfection of the IT security, as well as the scope of our project, which is to contribute to its improvement. This goal is achieved by completely re-designing the traditional security research cycle, introducing for the first time ever a market-driven approach to correctly value the security researchers contributions.
I really don't understand are they really achieving their goal by completely re-designing the traditional security research cycle, ethnically or unethically?
Recently, i came across of a similar website called: Astalavista. According to the website:
The ASTALAVISTA hacking & security community is the largest IT security community in the world. It’s a platform for both IT specialists and novices, and anyone interested in expanding and updating their knowledge regarding IT security and hacking.
They are offering paid subscription for the following prices:
- 6 months - $39.95
- 24 months - $99.95
- Lifetime membership - $199.95
Okay, according to them here are the benefits for becoming the member:
- The latest tools
- Unpublished documentation
- The largest security archive on the Internet
- Zero-Days Exploits
- Live Hacker Reports
- Source Codes
- Tips and Tricks
- Hosted Forums
- War Games Servers
..and still many more..
They claim that their members include IT security specialists and IT representatives at multinational companies like IBM, Microsoft and PWC.
Now i have the similar question which Roger Halbheer asked last year. Is these types of security forums are ethical and beneficial for security community? Is ethical, to pay some hackers and get hold of Zero-Day exploits?
If really representives from companies like Microsoft, IBM and PWC companies are supporting such forums then i personally think that we are not fighting with bad guys infact we are working with them together.