14 DAY TRIAL // Microsoft will have nothing to do with any form of online vulnerabilities bazaar. This is true not only for security flaws affecting the company's latest operating system but all its products. The reason why Microsoft will not get involved into the commerce with security vulnerabilities is because it finds an equivalence between a zero-day marketplace and up front blackmail. In this context, Roger Halbheer, Chief Security Advisor Microsoft EMEA, criticized harshly the WabiSabiLabi vulnerabilities auctioning website, revealing that the initiative is nothing more than another example of irresponsible disclosure.
"Every vendor has to have transparent and clear processes to handle vulnerabilities. These processes ensure that there will be a timely reaction on responsible disclosed as well as on irresponsible disclosed vulnerabilities causing so called zero-days. These zero-days pose a major risk to all the computer users on the Internet. One could agree now, that not the zero-day is the problem but the vulnerability itself," Halbheer stated.
WabiSabiLabi's position is quite different. It states that the ethical disclosure system was abused and is not a viable business model. WabiSabiLabi aims to see security researchers get paid for the zero-day vulnerabilities they find. "The system introduced by "ethical disclosure" has been historically abused by both vendors and security providers in order to exploit the work of security researcher's for free. This happens only in the IT security field as for example, nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy," reads an excerpt from the WabiSabiLabi website.
WabiSabiLabi has an entirely different perspective over the issue of selling zero-days. What Microsoft calls an attempt to blackmail software vendors, WabiSabiLabi calls bringing "the world closer to zero risk." Microsoft fails to see eye to eye on this matter and stick to its old strategy. "Our policy here is crystal clear. We do not buy vulnerabilities. We acknowledge the finder in the bulletin. Additionally we bring them together with our Executives and developers at a conference called "Bluehat"," Halbheer added.