The Register reports about what marketplace WabiSabiLabi claims is a zero-day exploit for popular Open-Source antivirus ClamAV.

The ClamAV exploit is the latest, and most publicized, of the few items for sale on WabiSabiLabi. The marketplace, established last august, features only a handful of exploits and very few bids so far. There are vulnerabilities (not all with exploit code) for IBM DB2, SAP MaxDB, Quicktime and a few others. Minimum prices range from nothing to a few thousands US dollars, and bids are in the one to two thousand dollars, with very few bids.

This ClamAV vulnerability has no bid yet, and as all the others, nothing proves it actually work. The listing, though, indicates a Proof-of-Concept is sold with the vulnerabilities details.

Much debate took place when the markeplace launched. The legality and morality of such a practice was questioned, and while this seems to be settled down now, interrogations still remain about the qualification process for the exploits been sold (what percentage are genuine ?) and whether or not WabiSabiLabi first offers exploits to private bidders before going public.

The question is asked by The Reg, noting that out f 110 valid exploits, only 38 appeared on line.