He had a pretty reliable exploit on the most used browser, pretty sure it he could have gotten more tax free on the black market.
Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...
> pretty sure it he could have gotten more tax free on the black market.
How?
I've been paid by bug bounties (although not that big) and I have no idea how I would find a trustworthy criminal to sell to.
I guess I'd need to find a forum? Unless my opsec is exemplary then I'm risking being exposed. I'd need to vet that the buyer would actually pay me and not just steal it from me. Even if they do pay me, I'd be worried that they'd blackmail me or try to extract something from me. But assuming they're good black-marketeers, I still have to explain to the authorities where this large amount of cash came from.
So how do I go about selling to the black market in a safe way?
Oh, and I don't get to write a blog post about the bug or get my name in front of other researchers and recruiters. That can be worth a huge amount - both in cash and reputation.
Mostly the best market is intelligence agency vendors. As a US citizen, I would only be comfortable selling to US contractors. There are a bunch; if you go to conferences you probably meet the people there (look at the sponsors...).
It won't be tax-free, though; you'd probably get a 1099, but if you're smart could set it up as corp to corp and deduct a bunch of other expenses from it. Part of the sale is signing a bunch of NDAs, etc so you can't then release it to others.
How does https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act play into that?
The CFAA makes it illegal to exceed authorized access to any 'protected computer' (in practice, basically any computer).
The exploit developer avoids violating the CFAA by developing the exploit on their own computer... because you are authorized to access your own computer.
The government doesn't violate the CFAA when using exploits because government agencies are exempt under 18 USC § 1030 (f)
Off the cuff, I'd guess that any official documentation would be around the sale of "research" and not "an exploit". Depending how classy the buyer was about it, there might or might not be an offline wink and nudge.
Selling exploits doesn't inherently violate the CFAA.
Not a lawyer, do pay a lot of attention to this area for professional reasons. Answer: it doesn't, unless you (1) found the vulnerability through methods that themselves violate CFAA (for instance, by breaking into a remote computer), or (2) sold information about the vulnerability knowing that it would be used for a particular set of crimes, in which case you can get accomplice liability for those crimes.
CFAA doesn't have anything to say about vulnerability research itself. You'd be just as liable as an accomplice if you knowingly and deliberately provided free wi-fi to a hacker.
>Mostly the best market is intelligence agency vendors.
That makes me wonder - may be the original bug was really a backdoor created as a result of a deal with an intelligence agency/vendor. So, can it be that Google gets money (or more generally some kind of browny points; also interesting aspect - giving that the agencies may exploit individual engineers, it would seem to be more preferable for the company to play ball and have it organized under the company's control) for a backdoor, and once backdoor is found - pays the bug bounty. The bug bounty is thus a kind of backdoor quality control program :)
> How
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
OK. But how do I find them? And, again, how do I assess their reputation and likelihood of paying me.
How much of a premium are they paying to make it worthwhile?
If you need all that spelled out it's probably not a market for you.
You can find some by researching. AIUI most intros are via personal connections. I'd be wary of the potential ethical implications. There is more than money to life.
Which, basically, is their whole point.
Have an established track record of finding high quality bugs and network with people in that space and you'll eventually get introduced to the right people.
Just search for vulnerability or 0day acquisition platforms and do some research into the companies. All of them are kinda shady but there are some which only sell to Five Eyes if you want to be “moral”
You can also go through ZDI (owned by Trend Micro), but the payout will be lower. It’s in Trend Micro’s interest so they can get ahead in detections.
I can't answer your question, but one of the ways trust works is you share the vuln with an escrow person, which I think is someone on the forum with very high rep. They take the vuln from you, confirm it works, and ensure that you get paid from the end buyer.
And do those companies facilitate black market transactions that would be tax-free?
I would consider it a deferred tax. You pay iff you are caught by the tax man with interest (and a potential bonus of a tax free holiday in a state sponsored facility). Better arrangements may be available if you are rich enough so you can get experts to arrange your taxes being legally deferred effectively after you died.
It’s another wrinkle GP didn’t get to. If you are paid, how to launder the money? Presumably you’d get a shiesty lawyer to buy you a nail salon ala breaking bad.
I mean you just search on google... Zerodium, Crowdfense, Exodus Intelligence, etc.
Sure, I'd say the "sell it elsewhere" stuff is always a bit overly optimistic but due to the nature of this specific exploit I am pretty sure you could find a buyer offering good compensation.
Does Zerodium even exist anymore? The impression I have is that people seriously selling clientsides weren't going through any firm a typical message board thread would be talking about.
From what I understand, they generally require complete reliable exploits. I don't think they generally buy proofs of concept, or exploits that only work some percent of the time. This specific exploit worked 80% of the time, which I'm not sure is good enough for them.
Yes, maybe the exploit could likely be modified to be more reliable. That's more work though.
The black market is "if you have to ask then you are already not qualified"
unless you are an agent posing questions to get people to sink themselves.
You'll probably end up with 40 subscriptions to Vibe magazine.
Thats what trusted middle men are for, instead of gaining rep among infosec posers on twitter you build rep under your anonymous alias. This is nothing new.
Or just sell it to the israelis.
Bahah, best description of the anime avatar people
[dead]
[dead]
[dead]
> a trustworthy criminal
Not going to happen.
You know most criminal enterprises are based pretty much solely on trust right? Like that is how a lot of crime gets done
'There is no honor amongst thieves' is a proverb for a reason. Case in point, my nephew, who got shot at point blank range (from behind, no less) by his 'best friend'. Criminals trust each other just long enough until there is a way to get ahead at the expense of the other.
Between 'calculative trust' and 'personality based trust' there are many poles (and other varieties of trust besides), on the whole you're much better of trusting a non-criminal than a criminal.
Selling something to the black market doesn't magically make it tax free. It's almost the opposite. The money is going to show up in your auditable accounts sooner or later, so it's best to pay tax on it, but you'll also have to come up with a fake but auditable story of where it came from, meaning you'll have to engage the services of professional money launderers. They will also take a cut. So, it's like paying tax twice.
Getting paid in cryptocurrency isn't necessarily a dodge either because even if you claim you mined it or something, the authorities have got wise to this a while ago IIUC and will expect to see evidence to back that claim up too.
Up to here you weren't committing any crimes.
> but you'll also have to come up with a fake but auditable story of where it came from
And now you did.
Sorry, do you mean the comment was describing hypothetical crimes, or literally the comment itself was criminal?
Lying to government officials is a crime. Including saying you mined the crypto instead of getting paid for selling a vuln
Dubious; seems like if you know you're selling exploits to criminals you could be done on a conspiracy charge.
The money itself might not be dirty, couldn’t you just claim something like “I sold a secret, highly valuable algorithm to this guy”? Tax would still need to be paid of course
Immediate follow up questions from the tax man, and then shortly afterwards the police "who is this guy? where is the invoice? what is his phone number?"
No, it doesnt typically work that way at all. The tax man just wants to get paid.
I grew up in an area known for people growing cannabis before it was legal. An enormous amount of taxes got dodged through cash land deals, but tons of people just claimed the income under various categories and no one ever came knocking because of that.
Its usually the other way around. If you caught the Fed's eye, then they might try to get you on tax evasion or something. Although, frankly even that was very rare. There are just a lot of very obvious fish to fry.
“I didn’t see these specific people get caught much in this specific situation therefore in general it works this way” - do you see how silly this sounds?
Are you talking about the IRS at the Federal level or someone else in the US?
For the people downvoting, that's unironically a thing:
https://www.irs.gov/publications/p525#en_US_2024_publink1000...
>Illegal activities.
>Income from illegal activities, such as money from dealing illegal drugs, must be included in your income on Schedule 1 (Form 1040), line 8z, or on Schedule C (Form 1040) if from your self-employment activity.
You underestimate the tax auditors.
And when they ask you who “this guy” is?
If you get paid in crypto, leave it in crypto, and just trade crypto for goods or services uncle sam is none the wiser.
Terrible advice
Selling an exploit is not illegal so why bother with money laundering?
Because the people buying it don't get their money from legal sources, nor engage in legal business activities.
They also have every incentive to make sure you're guilty enough to not go blab to the authorities later, or sell it to someone else.
And since you're trying to be anonymous in this, you aren't going to be getting a regular tax receipt either.
If you did not commit a crime to receive the money, there is no reason for money laundering (at least in the US). The IRS does not care as long as you claim it. You don't need a fancy story or anything, just claim the income.
Everybody here is coldly evaluating the financial profit comparison. How about being a decent human being, and not enabling hundreds of criminals to hurt millions of people because your net income is potentially better?
People are fixated, across this thread, on a black market of organized criminals buying vulnerabilities, but for the most part criminals aren't the real alternative market buyers for high-end vulnerabilities, and while people on message boards may incline towards viewing IC and LEO agencies as themselves criminal, I think you'll find a pretty substantial fraction of normal people find supplying IC/LEO agencies as more than just decent; praiseworthy, even.
That thorny ethical issue aside, I'm fond of pointing out that the IC's main alternative to CNE intelligence collection is human intelligence, and the cost of HUMINT simply in employee benefits dwarfs any near-term possible cost of exploit enablement packages; 7 figures is a pittance (remember: most major western governments are essentially benefits management organizations with standing armies).
Even given the seemingly vast sums earned by organized crime, government buyers are positioned to decisively outbid crime over the medium term. It's really early days for these markets.
Not commenting about the ic/leo part specifically, but there is a pretty abundant body of work on what "normal" people are willing to do, as long as they find a way to rationalize it away. The banality of evil is well documented.
In that light, what others would do is rarely a reliable indicator that you shouldn’t think twice about your actions, lest you regret later, once the thinking has happened.
I have no idea what any of this has to do with anything I just wrote, I'm sorry.
I was commenting on your point that a pretty substantial fraction of normal people find some actions decent, and even praiseworthy.
My point is that this fact shouldn’t belong in a discussion about ethics, given how often widely held moral positions have come to be a source of regret.
People are evaluating this from a cold perspective to see if the system is working as designed or not.
Hopefully decency reduces the necessary price a little.
> pretty sure it he could have gotten more tax free on the black market.
Not necessarily. On slide 72 of this presentation, it says sandbox escape or bypass for Chrome is worth up to $200000:
https://nocomplexity.com/wp-content/uploads/2024/06/bluehat2...
(I originally found this presentation on github[1], but github seems down right now[2].)
[1] https://github.com/mdowd79/presentations/blob/main/bluehat20...
[2] https://www.reddit.com/r/github/comments/1mnlgc5/is_github_d...
Mossad and its subsidiaries like NSO pay $1M
https://citizenlab.ca/2016/08/million-dollar-dissident-iphon...
NSO is one of dozens of firms that do this work; people are just fixated on NSO because it's the one broker/enablement firm they've actually heard of. The fact that you know who you are should make you less confident in their ability, not more.
Yes; this is the one case where there's a liquid market for these kinds of vulnerabilities. The important detail: for these (and only these) bugs, you can sell them multiple times; for instance, firms exist that specialize in selling these bugs and their enablement packages to, say, every law enforcement and intelligence agency in a single country.
Why not collect from both of the sources? First collect with your black hat and then with your white.
First, it's not "black market" vs. "non-black market"; most remunerative sales outside of bounty programs are grey-market --- mostly lawful, but all under the table, largely because they're to agencies that are protective of their sources and methods.
The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.
If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.
This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.
Black hats will not pay you for an exploit that dies quickly once the white hats get your report. White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
> White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.
...come to think of it, how does that work? Aren't the most important exploits to patch the ones being actively used in the wild?
In other words, how do they avoid someone playing both sides? "I found an exploit being used by the LEETH4X0R malware [which was in fact created by the guy I sold this exploit to] to steal people's gmail cookies."
You'd have to find out about LEETH4X0R before other researchers, but of course, you'd have a head start.
You won't get paid for an in-the-wild exploit.
"If I report the body, no-one will suspect I'm the murderer"
Yes they will.
Which is why people are hesitant to report a body they have not killed, just found!
Can usually report anonymously so this shouldn't be an issue. If there's no mechanism for that then yeah I'd consider keeping my mouth shut if it doesn't involve me directly (like the body is in my home somehow).
Except if you're not the murderer, then there'll be little evidence pointing to you.
If you are the murderer, there will be.
It is not so black and white.
Because you'll get found out and never employed as a security researcher again
Perhaps but won’t some of those blackhats pay $1 million or more? Depending where you live that’s retirement money.
Honestly I’d be more worried about crossing the blackhats.
Typically can't do that.
Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.
Private sector has the incentive of keeping an exploit open for as long as possible. Several cases with iPhone exploits that were apparently open (and sold) for years.
An exploit that is used is an exploit that will eventually leave traces that an analyst will look at (if used on a corporate PC)... Either you use it very sparingly on HVT or you end up on the EDR radars and some IOC will be made public eventually.
What if people start asking questions where you got the million dollars from? I've never understood how those presumably illegal markets can function with such large sums involved.
They're not illegal.
You are a security researcher. Your mind is trained to find and mitigate vulnerabilities. Including the vulnerabilities in finance / tax reporting.
You'll think of something. If you can hack one system, you can hack another.
$250k fully legally and with recognition is probably a good incentive not to bother. White hats have their privileges.
Money laundering, give the money to a shell company and have them report it as income. Obviously not that simple but that's the basic explanation.
That is why money laundering exists.
not if millions of dollars is bitcoin
You still have to pay taxes on income from non-bug bounty vulnerability markets, be it to law enforcement, brokers, or criminals.
Not really tax free lol! In both cases you arent getting withholding so you need to declare it.
Some exploits are sold bag of cash under a table. See e.g. https://news.ycombinator.com/item?id=20651607
Your hookers and blow dealers won't report you to the taxman.
Sure, but your car dealer will.
Lol. HN the famously "confidently incorrect" forum especially on-coding topics is not my lawyer.
And yeah if you want normal stuff like a house or car you'd need to wash the money. How do I know? Breaking Bad. Which lets be honest is probably for most of us, our only reference point here.
The reason you do money laundering is because the source of the funds is illegal. If the source of the funds is legal, just claim it. There are plenty of occupations that get paid in cash and are expected to report it.
The IRS isn't referring suspicious (whatever that means) tax returns to the authorities. What happens if you are a criminal is that the authorities have there attention on you because you are doing illegal things. One angle of attack for them is your finances. That is why money laundering exists.
Maybe the reason is the other way around. To convincingly wash money you need a legitimate looking shell business. And it needs to pay tax for the reason any other bsmusiness does.
Just use your ill gotten gains slowly for your regular living expenses, or a portion of them. Let your legit money stack up. Don't cross contaminate the two. EZPZ very unlikely to get caught.
Hey now, for me it was late primary or early secondary school and the book "45+47 Stella St and everything that happened"[1]
[1] https://www.elizabethhoney.com/45--47-stella-street.html
If you got it tax free you would run the risk of being prosecuted for tax evasion, would that really be worth it?
> Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later
lol
Why? If you actually exit the sandbox you'll start leaving traces, and eventually you'll slip and be looked at. That's part of the story EDR vendors sell at least.
You can't deny that you are way more likely to burn the exploit using it on a machine under watch than on a machine that is not...
Because most EDR is not designed to catch exploits.
This is true for all crime.