Comment by scarby2
2 months ago
It is a factor though. Most people will commit non-violent crime for a big enough pay off. Especially one where the individuals effected are hard to identify.
If my bug bounty is $10,000 and I can sell it for $20,000 then most people will take the legitimate cash. If it's $10,000 and some black market trader will pay $10,000,000 (obviously exaggerating) then there's a whole mess of people are going to take the ten million.
Except it's not "legitimate cash" and that's the point.
* Are you talking to someone legitimately interested in purchasing and paying you, or is this a sting?
* If you're meeting up with someone in person, what is the risk that the person will bring payment or try to attack you?
* If you're meeting with someone in person, how do you use $20k in cash without attracting suspicion? How much time will that take?
* If it's digital, is the person paying you or are the funds being used to pay you clean or the subject of an active investigation? What records are there? If this person is busted soon will you be charged with a crime?
There are a lot of unknowns and a lot of risks, and most people would gladly take a clean $10k they can immediately put in the bank and spend anywhere over the hassle.
It's not a crime to sell a bug. You can sell something like this to Crowdfense and receive money wired from the company (or cryptocurrency if you prefer anonymity).
It is not intrinsically a crime to sell a bug, but if you sell a bug and it can be demonstrated you reasonably knew the buyer was going to use it to commit a crime, you will end up with accessory liability to that crime. Selling vulnerabilities is not risk-free.
This is another reason why the distinction between well-worn markets (like Chrome RCEs) and ad-hoc markets is so important; there's a huge amount of plausible deniability built into the existing markets. Most sellers aren't selling to the ultimate users of the vulnerabilities, but to brokers. There aren't brokers for these Youtube vulnerabilities.
3 replies →
The "legitimate cash" option is the bug bounty without the risk. I think you are saying the same thing.
You have discovered the one real practical application of crypto.