Comment by Arainach
2 months ago
Except it's not "legitimate cash" and that's the point.
* Are you talking to someone legitimately interested in purchasing and paying you, or is this a sting?
* If you're meeting up with someone in person, what is the risk that the person will bring payment or try to attack you?
* If you're meeting with someone in person, how do you use $20k in cash without attracting suspicion? How much time will that take?
* If it's digital, is the person paying you or are the funds being used to pay you clean or the subject of an active investigation? What records are there? If this person is busted soon will you be charged with a crime?
There are a lot of unknowns and a lot of risks, and most people would gladly take a clean $10k they can immediately put in the bank and spend anywhere over the hassle.
It's not a crime to sell a bug. You can sell something like this to Crowdfense and receive money wired from the company (or cryptocurrency if you prefer anonymity).
It is not intrinsically a crime to sell a bug, but if you sell a bug and it can be demonstrated you reasonably knew the buyer was going to use it to commit a crime, you will end up with accessory liability to that crime. Selling vulnerabilities is not risk-free.
This is another reason why the distinction between well-worn markets (like Chrome RCEs) and ad-hoc markets is so important; there's a huge amount of plausible deniability built into the existing markets. Most sellers aren't selling to the ultimate users of the vulnerabilities, but to brokers. There aren't brokers for these Youtube vulnerabilities.
There's not a standard price in a list, but you can absolutely sell a platform exploit to a broker.
2 replies →
The "legitimate cash" option is the bug bounty without the risk. I think you are saying the same thing.
You have discovered the one real practical application of crypto.