Comment by thrdbndndn
1 year ago
From a practical perspective, they probably should "match" what black market values these exploits, and I surely wish they can give much higher bounties in general (and they for sure can afford!), but I don't think they ethnically need to (so it's not an insult in my view).
Turning these exploits/vulnerabilities to black market is not only immoral but also highly illegal, so the "value" is inflated due to these "risk" factors. You can't really expect the same from the affected company themselves.
It's like saying if you found a lost item and you ask a large sum from the owner when you return it, because "I can get much more if I choose to just sell it on the street".
> Turning these exploits/vulnerabilities to black market is not only immoral but also highly illegal
I assumed 'black market' here means irresponsible disclosure, which there are many sites operating legally (Zerodium being a prime example)
Who are the customers? Theoretically nation-state actors, but do we really know? Either way, you're selling the vulnerability to a private party. To my knowledge, selling knowledge of an exploit to almost anyone is legal (unless it could be classified treason or a threat to national security or something).
As is publishing the security research after responsibly disclosing (as the blog author did here), though we've had to fight pretty hard to get to the point where warning people of threats to their digital safety (often because companies are too lazy to protect their users) is generally understood to be legal.
I'm not a legal expert, but is it necessary for an act to pose a threat to "national" security for it to be considered illegal in places like the United States?
In my country, we have a law known as "The Crime of Destroying Computer Information Systems." This law makes it a criminal offense to intentionally harm computer systems in a way that could compromise them (which is somewhat vague in its definition, I'd admit). This includes leaking private information from these systems, and it applies even if the affected systems belong to private entities. And if you sell exploits to a third party and are later caught, you will be considered an accomplice and there are precedents for this.
The United States has similar laws in place. There have even been cases where people were convicted for responsible disclosure, since they had to circumvent the system to determine that there was indeed an exploit. It's not as common as it used to be, but there are plenty of small financial firms that would still go after someone reporting an exploit.
Zerodium isn't going to pay you $133.70 for this.
If you pay too much in bounties, you risk having your own red-team employees leave so that they can report bugs externally and get paid much more via bounties.