Woof. I didn't even notice the "for sale" part at first. That's probably the biggest red flag. You should never sell a backdoor into thousands of codebases to the highest bidder.
Of course, the real problem is thousands of codebases shouldn't be banking on the honor system for stuff like this.
I think the author is referring to third parties which buy and disclose vulnerabilities. Very hard to monetize. There is already a flourishing market for undisclosed vulnerabilities, for obvious reasons.
For a vulnerability of that scope, I assume selling it to a short-seller to publish in bad faith would be more valuable than selling on the actual black market anyway. Hell, the impression I get is that unless you're fairly well connected already, selling large $ value hacks on the black market isn't exactly easy (see Twitter hack).
I don't know if this is strictly legal either, but definitely more plausible deniability.
> Turning these exploits/vulnerabilities to black market is not only immoral but also highly illegal
I assumed 'black market' here means irresponsible disclosure, which there are many sites operating legally (Zerodium being a prime example)
Who are the customers? Theoretically nation-state actors, but do we really know? Either way, you're selling the vulnerability to a private party. To my knowledge, selling knowledge of an exploit to almost anyone is legal (unless it could be classified treason or a threat to national security or something).
As is publishing the security research after responsibly disclosing (as the blog author did here), though we've had to fight pretty hard to get to the point where warning people of threats to their digital safety (often because companies are too lazy to protect their users) is generally understood to be legal.
If I had to guess: not everyone can buy this software and A/G are not wanted by the sellers. Even the usual customers (law enforcement) are not very likely to pass exploits to them, because their work would become more difficult.
I've always wondered this about vulnerabilities: how can one guarantee an exclusive sale? And why doesn't someone who bought it just go ahead and re-sell it to (multiple) others to make a profit?
> Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
Couldn't that be compared to, say, selling protective sportswear. That is also selling protection from harm. Now if the researcher threatens to auction off the exploit...
>avoids the urge to go to the black market (or NSA, etc).
You can still sell your exploit to the black(site) market and later collect a bounty on it. You take some risk that someone else finds it or the party you sold it to leaks it.
You're quite misinformed on the value of such a vuln on the black market. Access to companies is indeed something that blackhats monetize. It's different from selling 0day in some software, but there is a market for it.
reply