Comment by dan-robertson
2 months ago
My guess was that people selling vulnerabilities generally know who they’re selling to. Is there a big market for people selling exploits to unknown/anonymous customers?
2 months ago
My guess was that people selling vulnerabilities generally know who they’re selling to. Is there a big market for people selling exploits to unknown/anonymous customers?
People talk about "people selling vulnerabilities" as if there's an established pattern for selling arbitrary vulnerabilities. There is not. There's an established pattern for selling exploits for RCE vulnerabilities on a subset of popular client-side platforms. It's not an especially easy market to break into (as with consulting, people starting out here tend to end up subcontracting, and taking a huge income hit).
For any other kind of vulnerability, you're not so much "selling a product" as you are "helping plan a heist".
It's a pretty big part of most black markets that vendors don't ask too many questions about the buyer.
Do you really want to know what the FSB plans to do with your exploit?