Sep 10, 2010 08:58 GMT  ·  By

NSS Labs, a company specializing in anti-malware testing, plans to expand its business by launching an online marketplace for exploits next month.

The platform will be called Exploit Hub and will allow security researchers to sell exploit code for known vulnerabilities to penetration testers and other security companies.

Its no secret that black hat hackers are already doing this and are selling exploits to cybercriminals on the underground market.

"The bad guys already have this stuff. We're trying to level the playing field," NSS Labs President Rick Moy, commented for Dark Reading.

The company plans to keep the operation as ethical as possible by vetting all buyers and testing that every submitted exploit works as advertised.

In addition, no zero-days will be allowed. These are exploits that target unpatched vulnerabilities and are usually more valuable to cybercriminals than pen testers.

The purpose of penetration testing is to identify security problems on corporate systems and networks that can be addressed, not those which have no solution from vendors.

There are already companies like Immunity, Core Security and Rapid7, that sell exploits as part of specialized commercial tools.

Similar attack code is constantly added to the open source Metasploit framework. However, exploit availability is still very limited compared to the number of publicly known flaws.

"Over the past five years, there have been over 14,000 high-risk or critical vulnerabilities and if you look at the tools and count how many exploits in them, there are maybe 1,000," Moy pointed out.

This forces many penetration testers to write their own exploits, which is a waste of precious time that could be better put to use for actual testing.

NSS Labs plans to launch Exploit Hub at the end of October and will retain a 30% commission from every transaction for its brokering role.

Some security researchers are open to the idea, especially since at the moment they are releasing most of their work for free.

"If they do it right this gives guys in my position a venue to put our stuff out there and make some money," Mario Ceballos, an exploit writer and penetration tester at Northrop Grumman, told Forbes.