alt Hacker NewsIn a past life I was deeply involved in the operation of a bug bounty program. Discouraging people from selling on the black market was nowhere on the list of motivations.
We wanted to encourage white hat security researchers to look at our domain rather than other domains so we could collect more data on the kinds of vulns that appeared in our domain to help prioritize efforts that would fix the root causes of recurring bug patterns.
I've also submitted bug bounties and received rewards and I've worked with a bunch of other people who have done this. At no point did I even consider selling on the black market and I suspect that my friends from grad school were the same way.
Maybe the $1,000,000 bounties for zero click rce on iphones or whatever exist to discourage selling on the black market, but I'm not even sure that is true. "Well, I'll just find a way to sell this to the russian mob" is not exactly something that is on the radar of the vast majority of security researchers.
Replies
There are plenty of places you can sell exploits other than OCGs. At the more legitimate end of that market is people like ZDI who will then collaborate with the vendors (after a time), or companies making exploit kits/tooling for pentesters/red teaming. More questionable ones are companies that make things like forensics tools or spyware who are legal, but perhaps ethically dubious. All completely legal, but not great for the wider community if they're getting the vulns rather than the developers.
If you're trying to protect your own website and servers, those markets won't be a concern for you. If you ship a widely used product that's an attractive target (like web browser, mobile device, network kit, etc) then they definitely are.
You don't sell it to the "Russian mob", you sell it to a highly reputable security company that will buy it for like $10 million or more and sell it to governments and stuff, not the mob.
I mean, seriously.
Why would I ever go find a 0 click rce bug and then just donate it to a trillion dollar company just to get a "thx" when I can just retire right then and there?
The reality is that most people's thoughts on bug bounties are from salacious headlines talking about those $1M vulnerabilities. In reality the average bug bounty submission is a machine translated report for a low severity issue in a web app that may or may not even exist (or be a vulnerability), sprayed at hundreds of companies (or the same company a hundred times) in the hopes of earning $500 to basically do currency manipulation.