Comment by neilv
2 months ago
> Threat actors buy vulnerabilities that fit into existing business processes
Isn't there a market for this? For example, "Reveal who is behind this account that's criticizing our sketchy company/government, so we can neutralize them".
I'll also argue there's separate incentives, than the market value to threat actors... Although a violent stalker of an online personality might not be a lucrative market for a zero-day exploit for this "threat actor" market, the vulnerability is still a liability (and ethical) risk for the company that could negligently disclose the identity of target to violent stalker.
IMHO, if you're paying well a gazillion Leetcode performance artists, to churn out massive amounts of code with imperfect attention to security, then you should also pay well the people who help you catch and fix their gazillion mistakes, before bad things happens.
You are imagining a market that doesn’t exist.
First there are only very few gobs/companies that are sketchy enough to do this - and for those a huge number of non-anonymous people exist with huge reach that are very critical for years. If such a market would exist they would assassinate all those first - you don’t need the email if you have the face, voice, and name - since that is not happening they just don’t care that much about it.
There’s 100% an active market for this, and I think tptacek is simply wrong on this point (the others are valid)
The likes of Cambridge Analytica didn’t go away, they exist and absolutely go hunting for data like this.
The ability to map between different identifiers and pieces of content on the internet is central to so many things - why do you think adtech tries to join so many datapoints? Let alone things like influence campaigns for political purposes.
I’m not talking about assasination plots, but more mundane data mining. This is why so much effort in the EU has gone into preventing companies from joining data sources across products - that’s embedded in DMA
There's an easy way to put your money where your mouth is here. Just offer $11k for this or similar vulnerabilities out of your own pocket, and then resell them. If there really is a large and active market for this at higher dollar values, you'll make a killing!
Sure is funny there's nobody doing that despite so many people being so dead certain there's an active market.
2 replies →
Sure, but do adtech companies buy vulnerabilities in web services to advance their mission? Wouldn't that risk running foul of e.g. the Computer Fraud and Abuse Act?
11 replies →
I think you've missed my point. I know data brokers exist. Does there exist today a data broker that functions in whole or in significant part buy acquiring vulnerabilities and exploiting them to collect data? He's a more concise way to frame my argument: if you're imagining yourself to be the first person to sell a particular kind of vulnerability to, then your customer is imaginary.
2 replies →
i think what's being conflated here is that there are reasonably buyers for this kind of vulnerability but there's no market in the truest sense. I think a correctly connected individual could well sell this vuln to a state actor or a contractor to one; but the ecosystem of bug sales to these parties has no aggregate appetite for them, thus, there is nothing driving the price up. People in the market for cyberweapons want point and shoot vulns that have broad usage beyond a specific server for a specific company or parts for them, and ones that will last beyond a single corporation patching something. They are willing to pay such big $$$ for this that the whole market is optimized for it. The power players here would much rather buy a gun and shoot the lock off a door than a specialised set of picks that work for that lock in that building.
The only real market (that I can see) are shady data aggregators. Governments just file subpoenas, and abusive megacorps can file lawsuits (all the anti-SLAPP statues in the world can't prevent your Google account from being unmasked and having to pay for a lawyer). There is a limited market in the form of internet addicts who want to harass people for kicks (since finding an email gives them another route to do that with), but it's a small one. These people also tend to be entitled pricks, so they're not a very good customer base to have.
> then you should also pay well the people who help you catch and fix their gazillion mistakes before bad things happens.
You missed their point about the business model of the security researchers here: their business model is finding a large number of small value vulnerabilities. Those who are good at this are very very good at this.
My company has a bug bounty program and some of the researchers participating in it make double or more my salary off of our program, but we never pay out more than this for a single report. And it's not like we're particularly vulnerable, we just get a steady stream of very small issues and we pay accordingly.
They're right: I was talking about the business models at the buyers that these vulnerabilities have to slot into. The point I'm making is: there already has to be an operating business that's doing this for a vulnerability to be salable at all. If there isn't one, you're not selling a vulnerability, you're helping plan a heist.
Right, I'm only responding to the last part where they imply to these researchers are not well paid. I'm saying that on an hourly basis or monthly basis $10k a vulnerability is actually quite a good payout when you have a surface area as large as Google's to explore and know what you're doing.
Their last paragraph shows that they didn't understand your paragraph here:
> For people who make their nut finding these kinds of bugs, the business strategy is to get good at finding lots of them. It's not like iOS exploit development, where you might sink months into a single reliable exploit.
1 reply →
Yeah, _should_ but businesses make money and not reporting and using the vulnerability in any other way is illegal, so they get to set the price as they're the only buyer. They know this.