Q: Do you trade zero day vulnerabilities?
A: First let's use the proper terminology, there is no zero day vulnerability, instead there is Security Research, which is the job of a skilled security researcher. Our scope is to provide an institutional market place in which security researchers can offer place their work to the market through a platform designed to maximize their reward.

Q: Who can participate to the marketplace?
A: Anybody who can legitimately buy or provide security research.

Q: Can everybody contribute with security researches on vulnerabilities?
A: Yes, under the condition of no-anonymity (did you ever succeed in buying or selling anonymously on the stock exchange?) and under the condition that the provided security research material must not come from an illegal source/activity.

Q: Can everybody purchase vulnerabilities from the market place?
A: No, all purchasers will be carefully evaluated before granting them access to the market platform to minimize the risk of selling the right stuff to the wrong people.

Q: Why do you need my personal data?
A: Swiss anti money laundering regulations clearly state that we need to identify any person we have money transactions with.

Q: I don't want to give you my personal data. Is there any other way I can partecipate to the marketplace?
A: No.

Q: I'd like to contribute a zero day vulnerability, how can I do it?
A: By simply registering as a seller from this page. Please note that prospective researchers will be thoroughly scrutinized before being eventually accepted.

Q: I'd like to buy a piece of security research, how can I do it?
A: By simply registering as a buyer from this page. Please note that prospective buyers will be thoroughly scrutinized before being eventually accepted.

Q: What kind of selling schemes are available from the market place?
A: Your security research can be sold under the following schemes:

Traditional auction
Pretty much the same a-la-ebay! The best bidder wins the auction. Each auction has a starting price, threshold for minimum bids and a Time To Live. In traditional auctions, the same item might be listed multiple times over the time, but you are never sure if the current auction will be the last one.

Dutch auction
The same as the traditional auction, but with more than one winner. The amount of winners is set differently from auctioned item to auctioned item.

Buy now!
The auction might have the "Buy now!" option, allowing the bidders to purchase the item immediately, without participating in the auction but at a higher price.

Buy exclusively
The option "Buy exclusively" when enabled will allow one buyer to purchase the item and to close the auction being the only winner and the exclusive owner of the item. Items sold under the "Buy exclusively" option, cannot be auctioned multiple times.

Q: What is your ethical disclosure policy?
A: The system introduced by "ethical disclosure" has been historically abused by both vendors and security providers in order to exploit the work of security researcher's for free. This happens only in the IT security field as for example, nobody in the pharmaceutical industry is blackmailing researchers (or the companies that are financing the research), to force them to release the results for free under an ethical disclosure policy.
In this view, WabiSabiLabi has a not-for-free-disclosure policy, explicitly aiming to reward researchers. The only free information available to both vendors and public will be the general information on each piece of security research listed on the market place, which will be enough to understand the issues introduced by each security research, without disclosing any sensible technical detail.
However in a pure Swiss tradition of neutrality and given the fact that we don't own the intellectual properties of the submitted security researches, we let its owner decide if the vendor should be notified or not. This information will be included in the marketplace vulnerability description.

Q: What guarantees will you give me about the reliability of the security researches listed on the market place?
A: Full guarantee. Every piece of security research is carefully analyzed and replicated in our own laboratories and eventually implemented with our own complementary research material before being placed on the market place.

Q: How much do you pay for a zero day security research?
A: You don't sell to WabiSabiLabi". Rather you sell through it like any other institutional market exchange. WabiSabiLabi doesn't directly pay anything, rather we mediate a your sale/purchase on behalf of researchers by providing a secure market environment aimed to maximize the security researcher's reward, therefore we maintain:

- a Research Department
- a test-drive laboratory
- an transparent exchange platform
- a secure payment system

Security research will only be placed on the market place, only after being validated by our labs and being "dressed" with our complementary material and services. We will also help researchers to design the best business model (Such as: selling schemes, starting selling price etc.) in order to maximize the value creation.

In a nutshell, the work of security researchers will be valued by the market itself. As it should be.

Q: What is your privacy policy?
A: You can find it here

Q: What is the Security Research submission procedure?
A: Procedure is:

- You let us know that you have a Security Research you want to submit, using the form in the website

- We send you an NDA in which we state that the Security Research intellectual property belongs to you

- You send us a detailed analysis about the Security Research and, if available, a PoC.

- If the Security Research result can be reproduced in our laboratory and we find it to be interesting we certify it and send you back a contract in which we discuss the starting price and the selling procedure with you.

- You send us back the contract, after you have signed it.

- We put the Security Research on our site for sale.

- Once it has been sold we take care about cashing from the buyer and turning the money to you ONLY on a verified personal bank account or a verified paypal account.

Q: What kind of vulnerabilities can I submit to your marketplace?
A: As a general principle you can submit any software vulnerability except proprietary web applications (no, we are not going to accept that XSS on googlemail). In the end the decision whether to publish or not anything will be at our own discretion.