Since economics, like nature, abhors a vacuum, a small industry of 'security companies' has emerged to exploit the hackers' dilemma. These outfits buy bugs from hackers {euphemistically known as 'security researchers'). They then either sell them to software companies affected by the flaws, sometimes with a corrective 'patch' as a sweetener, or use them for further 'research', such as looking for more significant—and therefore more lucrative—bugs on their own account. Such films seek to act as third parties that are trusted by hacker and target alike; the idea its that they know the market and thus know the price it will bear.

Often, though neither side trusts them. Hackers complain that, if they go to such companies to try to ascertain what represents a flair price, the value of their Information plummets because too many people now know about IL Software companies, meanwhile, reckon such middlemen are offered only uninteresting information. They suspect, perhaps cynically, that the good stuff is going straight to the black market. Last week, therefore, saw the launch of a service intended to make the whole process of selling bugs more transparent while giving greater rewards to hackers who do the right thing. The company behind it, a Swiss firm called WabiSabiLabi, differs from traditional security companies in that it does not buy or sell information in its own right. Instead, it provides a marketplace for such transactions.

A bug-hunter can use this marketplace in one of three ways. He can offer his discovery in a straightforward auction, with the highest bidder getting exclusive rights. He can sell the bug at a fixed price to as many buyers as want it. Or he can try to sell the bug at a fixed price exclusively to one company, without going through an auction. WabiSabiLabi brings two things to the process besides providing the marketplace. The first is an attempt to ensure that only legitimate traders can buy and sell information. (It does this by a vetting process similar to the one employed by banks to clamp down on money launderers.) The second is that it inspects the goods beforehand to make certain that they live up to the claims being made about them.

Herman Zampariolo, the head of WabiSabiLabi, says that hundreds of hackers have registered with the company since the marketplace was set up. So far only four bugs have been offered for sale, and the prices offered for them have been modest, perhaps because buyers are waiting to see how the system will work. A further 200 bugs, however, have been submitted and are currently being scrutinised. If such bug auctions are to succeed, they will have to overcome a number of obstacles. One is that if the seller is too clear about what he is offering, the buyer might be able to figure out what is being offered without actually paying for it. Another is that the chance of someone else discovering a bug increases with time. A hacker thus needs to sell his find quickly, which requires the verification process to be streamlined. But perhaps the most significant snag to running a bug auction is a legal one.

Jennifer Granlck, a lawyer at Stanford University who has studied the area for several years, reckons