Comment by benmmurphy
2 months ago
There is kind of a market for server side vulnerabilities but I'm not sure if you would call it grey. I suspect ZDI will purchase commodity server side vulnerabilities (https://www.zerodayinitiative.com/). So stuff like apache, nginx, and maybe opensource webapps that have a narrower usage.
ZDI claims they'll pay for bugs in serverside software, which is a different meaning of the term "serverside" than I'm using (admittedly, that definition is more precise). An nginx bug has a half-life once discovered. A Youtube bug does not.
I'm a little skeptical of published prices for serverside software, though. Do you know anyone who specializes in selling those bugs? I don't.