That is why a black market exists for this stuff.

c0balt · 2024-10-12T14:12:29 1728742349

The black market also exists because the potential payout for serious 0days by official programs is almost always less than what a third-party adversary will pay (if the target(s) for them are worth it).

omoikane · 2024-10-12T16:28:08 1728750488

The price for 0days is highly variable according to this presentation (starting slide 65):

https://github.com/mdowd79/presentations/blob/main/bluehat20...

The same presentation also mentions (starting slide 17) how the requirements of 0days differs from public research, which is why some vulnerabilities would be difficult to sell.

eastbound · 2024-10-12T17:10:35 1728753035

This. Fortunately the law makes it that it’s inconvenient (possible prison time) to use the black market, which is a big thumb on the balance, but bug bounties are also often only $3000…

Aachen · 2024-10-12T18:42:47 1728758567

> Fortunately the law makes it that it’s inconvenient (possible prison time) to use the black market

Don't forget that most people also simply don't sell bugs. They're not for sale in the first place; the bounty would be a thank-you or nice bonus, not a replacement for selling it

I'm certainly not in a criminal bubble so I can't say how big the other side is, but (as a security consultant who knows a reasonable number of hackers) I doubt that I know anyone who'd choose, after getting no response from the company, to sell a bug for profit to a louche party rather than going full disclosure and warning everyone -- or just doing nothing because it's not like it's their problem

Edit: nvm someone did come to mind. We tried to steer them onto the right path at our weekly CTF team meetings but I'm not sure we succeeded. Anywho, still one to a few dozen

yieldcrv · 2024-10-12T17:16:11 1728753371

Which law makes it a criminal sanction to use a black market like darknet marketplaces

Software Exploits arent considered arms it is information that can be sold, the liability is on the person that does the unauthorized access, the person that steals data, the person that uses the data

Hacking syndicates distribute liability akin to any corporation

saagarjha · 2024-10-12T18:01:42 1728756102

CFAA?

yieldcrv · 2024-10-12T18:35:39 1728758139

which puts the liability on the person that does the unauthorized access

not about else and especially not for merely browsing or using or buying a legal good from a dark net market

as I wrote

SkyBelow · 2024-10-14T13:30:11 1728912611

>which puts the liability on the person that does the unauthorized access

Which is almost always the person finding the bug. Most services include language that limit your ability to find vulnerabilities in their systems as part of being allowed to access their service. If you find the vulnerability without ever accessing the service you might have an out, but that also means you have to sell the exploit with less ability to convince the buyer that it is something significant.

r-w · 2024-10-12T20:30:35 1728765035

Accessory?

yieldcrv · 2024-10-12T22:37:37 1728772657

Relies on intent of the seller, who would need to be found via a valid subpoena that needs to pass a threshold of cause

who would then argue they also sold it to security researchers, journalists and assumed everyone was or didnt discriminate or have any intent at all

saagarjha · 2024-10-12T22:50:54 1728773454

That’s not how this works.

yieldcrv · 2024-10-12T23:11:17 1728774677

How does it work, I didnt get another answer from an LLM which pretty much never respond without elaborating

saagarjha · 2024-10-13T02:04:47 1728785087

You will typically be held liable for who you are selling your bugs to. If your bug ends up in the wrong hands you can’t just say “but I deal with everyone”.

pests · 2024-10-13T04:07:56 1728792476

Just like the gun manufacturers, right?