Comment by mlyle
2 months ago
It's not a crime to sell a bug. You can sell something like this to Crowdfense and receive money wired from the company (or cryptocurrency if you prefer anonymity).
2 months ago
It's not a crime to sell a bug. You can sell something like this to Crowdfense and receive money wired from the company (or cryptocurrency if you prefer anonymity).
It is not intrinsically a crime to sell a bug, but if you sell a bug and it can be demonstrated you reasonably knew the buyer was going to use it to commit a crime, you will end up with accessory liability to that crime. Selling vulnerabilities is not risk-free.
This is another reason why the distinction between well-worn markets (like Chrome RCEs) and ad-hoc markets is so important; there's a huge amount of plausible deniability built into the existing markets. Most sellers aren't selling to the ultimate users of the vulnerabilities, but to brokers. There aren't brokers for these Youtube vulnerabilities.
There's not a standard price in a list, but you can absolutely sell a platform exploit to a broker.
Say more. What do you mean by "platform exploit", and which brokers are you talking about? I am immediately skeptical, but it should be easy to knock me down on this.
1 reply →