In Die Hard 4.0, somewhere between John McClane blowing up a helicopter with a car and dodging missiles from a fighter jet, a hacker tries to reduce the United States to bedlam by assembling the work of other computer experts into one massive internet attack.

He pays each of the hackers for their individual security breaches under the guise of product testing, not revealing his plans to join all of the work together to any of them.

Less than two weeks after the film premiered on 4 July, a Swiss website, wabisabilabi. com, is meant to be an Ebay for these same system vulnerabilities . . . openings in software that a hacker . . . or, in the website's euphemism, 'Security Researcher' . . . could use to take control of a computer.

According to Roberto Preatoni, the company's strategic director, all of the power is placed in the hands of the seller. He or she can choose to sell only to security firms and others who would want to buy the information with the hope of fixing the problem, or simply to the highest bidder.

"We are neutral, in the pure Swiss tradition, " Preatoni said.

In Ireland, there has been an underground vulnerabilities market for years. A member of the Dublin branch of the hacker group 2600, based around the American magazine of the same name, said there were computer experts in Ireland as early as 2001 looking for buyers for the vulnerabilities they found. He said many of them used their discoveries to land themselves jobs in security firms.

Pavel Gladyshev, a professor at UCD who has done work on cybercrime and information systems security, said "the trade does take place in Ireland, but it is not nationallyspecific".

Since the same software is being used all over the world, the flaws found are an internationally traded commodity and not restricted by geography.

Vulnerabilities in widely-used software go for around 5,000 on average but Gladyshev said he had heard figures as high as 30,000. Should the market one day become fully developed, researchers are likely to be earning much more.

However, there are ethical issues with an open market for software exploits. The 2600 member said neither he, nor any of his friends, would sell vulnerabilities to hackers.

"Years ago people would be auditing code, they'd find a bug and they might publicise it to get their name in the security field but they'd notify a vendor before they released it, " he said.

If the software vendor learns about the problem, the company can issue patches which will correct it in the form of updates to your computer. Mozilla for instance, maker of the web browser Firefox and the Thunderbird email client, offers $500 as a "bug bounty" for any serious flaw discovered.

Alternatively, if the bug is turned over to the market, it is likely to end up in the hands of the highest bidders, who are often commercially-driven, criminal cybergangs.

Conor Flynn, technical services director of information security specialists Rits, agreed that with "the discovery of a vulnerability or an exploit, the ethical and proper thing is to report and manage the delivery of a patch to mediate the issue".

Flynn said the goal should be to establish a market between independent researchers and manufacturers, so they could find the problems before the malicious community does. But if the market in its current form takes off, security firms may one day have to bid directly against their hacker rivals so as not to fall behind.