Comment by brohee
6 months ago
He had a pretty reliable exploit on the most used browser, pretty sure it he could have gotten more tax free on the black market.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
> pretty sure it he could have gotten more tax free on the black market.
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
Mostly the best market is intelligence agency vendors. As a US citizen, I would only be comfortable selling to US contractors. There are a bunch; if you go to conferences you probably meet the people there (look at the sponsors...).
It won't be tax-free, though; you'd probably get a 1099, but if you're smart could set it up as corp to corp and deduct a bunch of other expenses from it. Part of the sale is signing a bunch of NDAs, etc so you can't then release it to others.
How does https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act play into that?
4 replies →
>Mostly the best market is intelligence agency vendors.
That makes me wonder - may be the original bug was really a backdoor created as a result of a deal with an intelligence agency/vendor. So, can it be that Google gets money (or more generally some kind of browny points; also interesting aspect - giving that the agencies may exploit individual engineers, it would seem to be more preferable for the company to play ball and have it organized under the company's control) for a backdoor, and once backdoor is found - pays the bug bounty. The bug bounty is thus a kind of backdoor quality control program :)
> How
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
OK. But how do I find them? And, again, how do I assess their reputation and likelihood of paying me.
How much of a premium are they paying to make it worthwhile?
11 replies →
From what I understand, they generally require complete reliable exploits. I don't think they generally buy proofs of concept, or exploits that only work some percent of the time. This specific exploit worked 80% of the time, which I'm not sure is good enough for them.
Yes, maybe the exploit could likely be modified to be more reliable. That's more work though.
You'll probably end up with 40 subscriptions to Vibe magazine.
The black market is "if you have to ask then you are already not qualified"
unless you are an agent posing questions to get people to sink themselves.
Thats what trusted middle men are for, instead of gaining rep among infosec posers on twitter you build rep under your anonymous alias. This is nothing new.
Or just sell it to the israelis.
Bahah, best description of the anime avatar people
[dead]
[dead]
[dead]
> a trustworthy criminal
Not going to happen.
You know most criminal enterprises are based pretty much solely on trust right? Like that is how a lot of crime gets done
1 reply →
Selling something to the black market doesn't magically make it tax free. It's almost the opposite. The money is going to show up in your auditable accounts sooner or later, so it's best to pay tax on it, but you'll also have to come up with a fake but auditable story of where it came from, meaning you'll have to engage the services of professional money launderers. They will also take a cut. So, it's like paying tax twice.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
Up to here you weren't committing any crimes.
> but you'll also have to come up with a fake but auditable story of where it came from
And now you did.
Sorry, do you mean the comment was describing hypothetical crimes, or literally the comment itself was criminal?
1 reply →
Dubious; seems like if you know you're selling exploits to criminals you could be done on a conspiracy charge.
The money itself might not be dirty, couldn’t you just claim something like “I sold a secret, highly valuable algorithm to this guy”? Tax would still need to be paid of course
Immediate follow up questions from the tax man, and then shortly afterwards the police "who is this guy? where is the invoice? what is his phone number?"
3 replies →
For the people downvoting, that's unironically a thing:
https://www.irs.gov/publications/p525#en_US_2024_publink1000...
>Illegal activities.
>Income from illegal activities, such as money from dealing illegal drugs, must be included in your income on Schedule 1 (Form 1040), line 8z, or on Schedule C (Form 1040) if from your self-employment activity.
You underestimate the tax auditors.
And when they ask you who “this guy” is?
If you get paid in crypto, leave it in crypto, and just trade crypto for goods or services uncle sam is none the wiser.
Terrible advice
Selling an exploit is not illegal so why bother with money laundering?
Because the people buying it don't get their money from legal sources, nor engage in legal business activities.
They also have every incentive to make sure you're guilty enough to not go blab to the authorities later, or sell it to someone else.
And since you're trying to be anonymous in this, you aren't going to be getting a regular tax receipt either.
1 reply →
Everybody here is coldly evaluating the financial profit comparison. How about being a decent human being, and not enabling hundreds of criminals to hurt millions of people because your net income is potentially better?
People are fixated, across this thread, on a black market of organized criminals buying vulnerabilities, but for the most part criminals aren't the real alternative market buyers for high-end vulnerabilities, and while people on message boards may incline towards viewing IC and LEO agencies as themselves criminal, I think you'll find a pretty substantial fraction of normal people find supplying IC/LEO agencies as more than just decent; praiseworthy, even.
That thorny ethical issue aside, I'm fond of pointing out that the IC's main alternative to CNE intelligence collection is human intelligence, and the cost of HUMINT simply in employee benefits dwarfs any near-term possible cost of exploit enablement packages; 7 figures is a pittance (remember: most major western governments are essentially benefits management organizations with standing armies).
Even given the seemingly vast sums earned by organized crime, government buyers are positioned to decisively outbid crime over the medium term. It's really early days for these markets.
Not commenting about the ic/leo part specifically, but there is a pretty abundant body of work on what "normal" people are willing to do, as long as they find a way to rationalize it away. The banality of evil is well documented.
In that light, what others would do is rarely a reliable indicator that you shouldn’t think twice about your actions, lest you regret later, once the thinking has happened.
2 replies →
People are evaluating this from a cold perspective to see if the system is working as designed or not.
Hopefully decency reduces the necessary price a little.
Why not collect from both of the sources? First collect with your black hat and then with your white.
First, it's not "black market" vs. "non-black market"; most remunerative sales outside of bounty programs are grey-market --- mostly lawful, but all under the table, largely because they're to agencies that are protective of their sources and methods.
The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.
If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.
This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.
Black hats will not pay you for an exploit that dies quickly once the white hats get your report. White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
> White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
...come to think of it, how does that work? Aren't the most important exploits to patch the ones being actively used in the wild?
In other words, how do they avoid someone playing both sides? "I found an exploit being used by the LEETH4X0R malware [which was in fact created by the guy I sold this exploit to] to steal people's gmail cookies."
You'd have to find out about LEETH4X0R before other researchers, but of course, you'd have a head start.
1 reply →
"If I report the body, no-one will suspect I'm the murderer"
Yes they will.
Which is why people are hesitant to report a body they have not killed, just found!
5 replies →
Because you'll get found out and never employed as a security researcher again
Perhaps but won’t some of those blackhats pay $1 million or more? Depending where you live that’s retirement money.
Honestly I’d be more worried about crossing the blackhats.
Typically can't do that.
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
Private sector has the incentive of keeping an exploit open for as long as possible. Several cases with iPhone exploits that were apparently open (and sold) for years.
An exploit that is used is an exploit that will eventually leave traces that an analyst will look at (if used on a corporate PC)... Either you use it very sparingly on HVT or you end up on the EDR radars and some IOC will be made public eventually.
Yes; this is the one case where there's a liquid market for these kinds of vulnerabilities. The important detail: for these (and only these) bugs, you can sell them multiple times; for instance, firms exist that specialize in selling these bugs and their enablement packages to, say, every law enforcement and intelligence agency in a single country.
> pretty sure it he could have gotten more tax free on the black market.
Not necessarily. On slide 72 of this presentation, it says sandbox escape or bypass for Chrome is worth up to $200000:
https://nocomplexity.com/wp-content/uploads/2024/06/bluehat2...
(I originally found this presentation on github[1], but github seems down right now[2].)
[1] https://github.com/mdowd79/presentations/blob/main/bluehat20...
[2] https://www.reddit.com/r/github/comments/1mnlgc5/is_github_d...
Mossad and its subsidiaries like NSO pay $1M
https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
NSO is one of dozens of firms that do this work; people are just fixated on NSO because it's the one broker/enablement firm they've actually heard of. The fact that you know who you are should make you less confident in their ability, not more.
What if people start asking questions where you got the million dollars from? I've never understood how those presumably illegal markets can function with such large sums involved.
They're not illegal.
You are a security researcher. Your mind is trained to find and mitigate vulnerabilities. Including the vulnerabilities in finance / tax reporting.
You'll think of something. If you can hack one system, you can hack another.
$250k fully legally and with recognition is probably a good incentive not to bother. White hats have their privileges.
Money laundering, give the money to a shell company and have them report it as income. Obviously not that simple but that's the basic explanation.
That is why money laundering exists.
not if millions of dollars is bitcoin
You still have to pay taxes on income from non-bug bounty vulnerability markets, be it to law enforcement, brokers, or criminals.
Not really tax free lol! In both cases you arent getting withholding so you need to declare it.
Some exploits are sold bag of cash under a table. See e.g. https://news.ycombinator.com/item?id=20651607
Your hookers and blow dealers won't report you to the taxman.
Sure, but your car dealer will.
Lol. HN the famously "confidently incorrect" forum especially on-coding topics is not my lawyer.
And yeah if you want normal stuff like a house or car you'd need to wash the money. How do I know? Breaking Bad. Which lets be honest is probably for most of us, our only reference point here.
4 replies →
If you got it tax free you would run the risk of being prosecuted for tax evasion, would that really be worth it?
> Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later
lol
Why? If you actually exit the sandbox you'll start leaving traces, and eventually you'll slip and be looked at. That's part of the story EDR vendors sell at least.
You can't deny that you are way more likely to burn the exploit using it on a machine under watch than on a machine that is not...
Because most EDR is not designed to catch exploits.
This is true for all crime.