NSS Plans Superstore Exchange For Exploits

NSS Labs has targeting security experts as customers for its planned online store for security exploits.

Through the Exploit Hub, NSS Labs will allow researchers to buy and sell exploits. According to NSS Labs president Rick Moy, the initial set of buyers will be “known quantities” such as penetration-testing companies and security vendors. The company will carefully vet the customers as it is aware of the dangers of opening the service to all-comers.

Market Penetration

“The goal is to close the capabilities gap between the cybercriminals and white hats by enabling defenders to perform more comprehensive testing of their defences,” Moy told eWEEK.

The marketplace will be a library of exploits supplied for sale by anti-malware companies and security professionals. NSS will take a 30 percent cut of the sales in exchange for testing and validating the exploits, as well as promoting and managing the marketplace. The price of exploits will be driven by demand with the researchers who submit the exploits deciding on the initial price tag for their work, Moy added.

“Identities and reputations of companies and individuals will be a key factor,” Moy said. “We plan to leverage our long-standing independent position in the information security community and network of peers to vet the participants.”

No zero-day vulnerabilities will be sold through the store, something that distinguishes it from marketplaces like the one previously run by WabiSabiLabi which has now closed down.

“In the end, the efforts required to keep a zero-day secret also work against the concept of an open marketplace,” said H D Moore, chief security officer at Rapid7 and creator of Metasploit. “The NSS approach sounds like a great way for exploit developers to profit from their work and an excellent source of useful tools for penetration testers everywhere.

“Since they are only dealing with exploits for which vulnerability details are already available, it’s less about safeguarding sensitive information and more about creating a market for exploit tools,” he said.

NSS Labs is planning a phased-release approach to vetted buyers and is aiming to open the store in October, Moy said. Interested parties can sign up by contacting exploithub@nsslabs.com.