> How
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
> How
There are companies that specialize in getting grey market bugs in important software, ie browsers and OSes. They are repwat players and have a reputation to actually pay out.
OK. But how do I find them? And, again, how do I assess their reputation and likelihood of paying me.
How much of a premium are they paying to make it worthwhile?
If you need all that spelled out it's probably not a market for you.
You can find some by researching. AIUI most intros are via personal connections. I'd be wary of the potential ethical implications. There is more than money to life.
Which, basically, is their whole point.
Have an established track record of finding high quality bugs and network with people in that space and you'll eventually get introduced to the right people.
Just search for vulnerability or 0day acquisition platforms and do some research into the companies. All of them are kinda shady but there are some which only sell to Five Eyes if you want to be “moral”
You can also go through ZDI (owned by Trend Micro), but the payout will be lower. It’s in Trend Micro’s interest so they can get ahead in detections.
I can't answer your question, but one of the ways trust works is you share the vuln with an escrow person, which I think is someone on the forum with very high rep. They take the vuln from you, confirm it works, and ensure that you get paid from the end buyer.
And do those companies facilitate black market transactions that would be tax-free?
I would consider it a deferred tax. You pay iff you are caught by the tax man with interest (and a potential bonus of a tax free holiday in a state sponsored facility). Better arrangements may be available if you are rich enough so you can get experts to arrange your taxes being legally deferred effectively after you died.
It’s another wrinkle GP didn’t get to. If you are paid, how to launder the money? Presumably you’d get a shiesty lawyer to buy you a nail salon ala breaking bad.
I mean you just search on google... Zerodium, Crowdfense, Exodus Intelligence, etc.
Sure, I'd say the "sell it elsewhere" stuff is always a bit overly optimistic but due to the nature of this specific exploit I am pretty sure you could find a buyer offering good compensation.
Does Zerodium even exist anymore? The impression I have is that people seriously selling clientsides weren't going through any firm a typical message board thread would be talking about.
From what I understand, they generally require complete reliable exploits. I don't think they generally buy proofs of concept, or exploits that only work some percent of the time. This specific exploit worked 80% of the time, which I'm not sure is good enough for them.
Yes, maybe the exploit could likely be modified to be more reliable. That's more work though.