Why bug hunt should be for sale

Co-founder of controversial security auction site WSLabi, says hackers must be allowed to sell their work and discusses the site's plans for Asia.

KUALA LUMPUR--Roberto Preatoni may not be a man without controversy, but he is a man on a critical mission: To change public perception of computer hackers.

As the director of strategy for online auction Web site WabiSabiLabi (WSLabi), Preatoni hopes to redefine the role of hackers from one that is out to destroy the intellectual property others create, to one that can contribute positively to the field of Internet security.

Also the CEO of Domina Security and founder of cyber crime archive Zone-h, he believes that hackers have a profession that is no different from those conducting research in other fields, such as medicine and engineering. They should therefore not be "forced" to give away their discoveries for free but should instead be rewarded for their work, he said.

To champion this cause, Preatoni and two other security professionals in July launched WSLabi, offering a platform to facilitate the sale and purchase of security vulnerabilities and research.

While some have welcomed this Swiss-based auction Web site, others--security vendors in particular--have coined it a marketplace for bugs. They also criticized the site for legitimizing the work of malicious hackers by helping them sell their security exploits to the highest bidder.

In an interview with ZDNet Asia, 40-year-old Preatoni defends the need for portals such as WSLabi and discusses the company's plans for Asia. He adds that the business model not only works, it also benefits the security industry.

Q: What is the rationale behind WabiSabiLabi?
Preatoni: There are currently only two platforms on which security researchers can sell their work: Verisign's iDefence and 3Com's TippingPoint. This, to me, is a near-monopoly and not an open market situation. If indeed an open market exists, then the information discovered by researchers should be exchanged at a price that is valued and set by a large group of buyers, and not just between two players.

As long as you have only two players dictating terms, unfair conditions will always exist. This is what WSLabi aims to correct.

But WSLabi has drawn heavy criticism from some security vendors, blogs and members of the media. How do you respond to this?
We are not worried about what our critics say about us. They have questioned many things through the press including whether WSLabi is a front-end for criminal organization.

We are a real business incorporated in Switzerland, where we employ some 20 professionals to do security research. Additionally, while many may not know the company, the industry knows me and as one of its architects, I stand behind WSLabi.

Also, our competitors ask us: How can we be sure that WSLabi is not selling vulnerabilities to criminals? Well, I could throw the same question back at them. I can also ask them if they have any processes in place to vet buyers. Because negotiations are done in private, there's no way to know. Here at WSLabi, we have stringent processes to check buyers before they trade.

How then do you justify the sale of vulnerabilities on WSLabi?
Our goal is to establish a security research marketplace so that legitimate security researchers can be rewarded for their work. WSLabi will allow them to sell their work at a fair price, and buyers will be able to buy these researchers' work to protect themselves. This way, legitimate hackers can contribute to the security knowledge industry, too.

But what if criminals end up auctioning on WSLabi?
No criminal hacker would want to sell their findings on WSLabi because criminals are already trading on the black market today. Also, criminals are motivated by profit, and WSLabi will not appeal to them as they can certainly make more money selling their vulnerabilities illegally on the black market than on WSLabi.

What kind of vetting process have you implemented for buyers who want to trade on WSLabi? How does that work?
There is no perfect vetting process but our goal is to minimize the risks.

If a buyer wants to trade on WSLabi, we would require him to fully disclose his identity according to details on his passport. In addition, we require him to provide a fixed landline telephone number, and not a cellphone number, for us to verify his existence and business location.

What if buyers give false identities?
Even if they provide bogus details, we are protected as we don't accept or transfer money to bank accounts other than to persons whose identities have been verified. Also, for the buyer to open a bank account, the bank would have vetted him to ensure that he is a legitimate individual.

We believe that with all these processes in place, criminals would in all likelihood not want to trade on WSLabi as it's just too complicated and restrictive for them to do so. It would be much easier for them to trade over the black market where no questions are asked.

In the unlikely event that there is problem, we can reveal this information to the relevant authorities for them to take action.

Do you have an internal process in place to ensure your staff will not manipulate the auction system for their own gain?
We have a security procedure that separates staff functions within the company. This means that people working on the vulnerabilities in the labs cannot access the database of the buyers and sellers, while those who administer sales do not have access to the vulnerabilities database.

Even I don't have access to the vulnerability as I'm the strategist in the company, and have no business engaging in the buying or selling process.

What are your plans for WSLabi here in Asia?
Selling value-added services to our clients, rather than depending on auctions for revenue as it is not economically viable to just do that. By having a repository of vulnerabilities, we plan to sell early-warning advisory services based on subscription.

This model is specially meant for Asia as there is a dearth of security advisories written in native languages here. We plan to not only analyze the vulnerabilities but to translate the technical details into non-English advisories, so native-speaking countries can have easy access to security information.

Has work on this started yet? And where will this center be based?
No. It hasn't even started in Europe. But I expect it to begin before the end-2007. We are in the process of finding a regional business manager who will take care of sales and build the team here in Asia.

There'll be one in China and one in the Far East. We are looking at Indonesia, Philippines or Malaysia as the Far-East hub.

So Malaysia could be one of the frontrunners?
Yes, because I know the people in the security business here and I also believe Malaysians have the necessary skill sets to do the job.

How will you take on new competitors?
New players might emerge, but they will face an uphill task as we already have first-mover advantage. Also, our competitors must study the legal minefield, be financially strong and absolutely crazy before trying something like this.

How are you funded?
We've private investors who have put in US$2 million to support our operations over the first two years. We will receive another US$3 million after that, assuming the business is successful.

Why is WSLabi headquartered in Switzerland?
Two reasons: The laws in country are clear, and the country does not have lobby groups to sway opinion against us. Also, our investors are based there.

Edwin Yapp is a freelance IT writer based in Malaysia.