
Ask HN: Malwaremonger’s moral bind - throwaway2600Hz
I have found a zero-day cross-platform exploit that is nasty (as in make-the-nightly-news nasty).  Mitnick doesn’t want it.  Zerodium doesn’t want it.  Apple and Microsoft don’t even want to hear about it without my agreeing to give them exclusive rights to it (even to the exclusion of each other), before they even look at it.<p>What’s the right and moral thing to do next?  Apple and Microsoft are making friendly (if half-hearted and half-assed) overtures to researchers with one hand while behind them are corporate lawyers preemptively giving all researchers the finger.  These lawyers strike me as the very same bullies who took your lunch money in school, and ready to do it again.<p>Is there any path forward that involves the right people taking the exploit seriously and perhaps a reasonable bounty for my trouble?  Or am I doomed to bury it, sell it on some darknet market to “tha NSA” or dump a guide on github?
======
ggggtez
Bug bounties work by: You tell them what the bug is, they pay you money if
it's real and dangerous. It's not a way for you to blackmail companies by
threatening to give it to the dark web. That's a sure fire way to get lawyers
involved.

The way you are asking mommy/daddy/uncle/aunty for who will pay more for your
bug indicates you are not a trustworthy person and are not interested in doing
the right thing. These companies will naturally not want to do business with
you because you are not acting professionally.

~~~
throwaway2600Hz
Apple does not have a bug bounty program when it comes to macOS.

Bug bounty programs run by Apple (for their other platforms) and Microsoft
require you to agree to their draconian terms and conditions before you can
even submit the bug.

As to the rest of those pithy comments, I'll try not to take them too much to
heart.

------
mtmail
I read "right and moral" but I have the feeling you're more disappointed that
you can't profit from the exploit as you've hoped.

~~~
ggggtez
That isn't quite fair to the OP. Wanting to make money for your efforts is not
mutually exclusive to doing the right thing.

That said, if you really want to do the right thing, you'd submit it to the
companies running the bug bounties. They aren't going to pay you first just to
hear what it is. That'd be blackmail. Either you trust the big companies to be
fair and pay you, or you don't, but you should choose which.

------
ericb
It sounds like the payout is higher if you auction it on the darknet, so
you're doing mental gymnastics to invent justifications to satisfy the voice
in your head that knows that isn't the right thing to do.

------
kleer001
No corporation is a monolythic entity. You may just not be talking to the real
right people.

~~~
throwaway2600Hz
This was my thought as well. My hope is one will see and respond to this post.

------
rwallace
I'm not clear about what the problem is. I was under the impression several
large IT companies have bug bounty programs; is this not the case?

~~~
throwaway2600Hz
Apple does not have a bug bounty program when it comes to macOS.

Bug bounty programs run by Apple (for their other platforms) and Microsoft
require you to agree to their draconian terms and conditions before you can
even submit the bug.

~~~
rwallace
So if this is a macOS bug, you forget about it and get on with your life. If
it's something else for which a bounty would be payable - what are the terms
and conditions, exclusivity? -then you go ahead and agree to that and
hopefully get paid. Is there something else?

------
auganov
You're not telling us why you got turned down. Do they not share your
assessment of how severe the vulnerability is?

~~~
throwaway2600Hz
You're assuming they told me. I would gather not, or perhaps, they did not
consider it to be a salable asset, or not one they couldn't develop
themselves.

