WabiSabi Labi aims to be more than an eBay for zero-days

Others are worried about how zero-day sales will affect public perceptions of security researchers and hackers.

"Having a zero-day eBay is dangerous for the community because it will enforce the idea that hackers are criminals," said Alessio Pennasilico, a security evangelist at Alba S.T. who has uncovered vulnerabilities in the software used to control industrial equipment found in factories and power plants.

"I will never buy or sell a zero-day on a site like that," Pennasilico said.

But some people are willing to give WabiSabi Labi a try, at least under certain circumstances.

"If the vulnerability affects an open-source project, I wouldn't sell it. But if a vulnerability affects a big commercial vendor, and I know that vendor is usually not responsive on security bugs, then I would probably sell it," said Andrea Barisani, chief security engineer at Inverse Path.

But Barisani, who discovered a vulnerability that allows false messages to be injected into satellite navigation systems, knows the people behind WabiSabi Labi personally and trusts them. He's quick to acknowledge others may not share that trust.

"If I'm a random researcher, and I know I have a very important vulnerability -- and ideally you would sell only vulnerabilities that are very important -- my primary concern would be not to leak that vulnerability. Since most people in the security industry are very paranoid, I wouldn't trust a middleman," Barisani said.

Preatoni rejects the notion that selling vulnerabilities through WabiSabi Labi puts users at risk, saying buyers are carefully vetted to prevent zero-days from falling into the hands of criminals. But he acknowledges the company must work hard to win over security researchers by ensuring they get paid for their work and that agreements over how vulnerabilities should be handled are respected.

"It's all a matter of trust and we have a long road ahead. We have to build that trust," Preatoni said.