> I imagine that anyone who knows where to look can easily find dozens of interested buyers willing to pay a lot more than that, from intelligence agencies and their contractors to crime syndicates.
This is unfortunately false. The running price for Linux kernel exploit isn't that high.
" estimates that a hacker who gets 1 to 2 percent of users of infected machines to purchase the software can pull in over $5 million a year in commissions."
Why am I not using my computer security knowledge to do this? haha
> Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
Now, sadly, I must ask, is someone going to try to
make this proprietary and embedded, contained within
hermetically sealed hardware enclosures, complete with
convoluted bootloader and behavioural studies rootkit,
to try to make billions from it?
If the problem is submitted to the market, then yes. That's what the market and capital does. So sad.
It'd be great if the world's geeks would stop laboring for the fucking market, increasing the surplus value exacted from their labor, and winding up fucked by their own creations.
>avoids the urge to go to the black market (or NSA, etc).
You can still sell your exploit to the black(site) market and later collect a bounty on it. You take some risk that someone else finds it or the party you sold it to leaks it.
> I'm surprised by how cheap the vulnerabilities market is
I think this has a lot to do with government agencies buying any exploit they can get their hands and there is basically no market besides that. I don't know if that is illegal in the US, but it seems that government is the only buyer.
> what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix?
People willing to pay 5 or 6-digit sums for a zero-day are likely... not nice. One wouldn't double-cross them willy-nilly. Multiple-sale to multiple third-parties scenarios are likely happening every day, but selling to developers could be considered an act of sabotage against all buyers, so there is no incentive really.
Without revealing the actual site/method/whatever; can you please explain how the 0day exploit market works?
I can make basic assumptions that it is deep-web-forums/TOR/Whatever... but can you enlighten me as to how one might go about selling/buying such an exploit?
> Hats off to you, no idea why you wouldn't just sell this off considering how poorly your honesty is rewarded.
Aside from the ethical considerations you'd have to navigate, there isn't a market for vulns like this outside of bug bounties.
People on HN always cite Zerodium or whatever but don't realize those markets exist for vulns with a long half life. The expected return on a vuln which exists in one website is quite bad.
For a vulnerability of that scope, I assume selling it to a short-seller to publish in bad faith would be more valuable than selling on the actual black market anyway. Hell, the impression I get is that unless you're fairly well connected already, selling large $ value hacks on the black market isn't exactly easy (see Twitter hack).
I don't know if this is strictly legal either, but definitely more plausible deniability.
Might be hard to sell for a sensible price in that case.
reply