
Ask HN: What is the best way to get paid for discovering zero day exploits? - seibelj
Let&#x27;s say I discover a security exploit and want to profit from it. What do you consider the best way to make monetary gain from this discovery? I have found the Zero Day Initiative (http:&#x2F;&#x2F;www.zerodayinitiative.com&#x2F;) but I was wondering if any other mechanisms were considered legitimate by HN.
======
milspec
It's tough selling these on your own:
[http://weis2007.econinfosec.org/papers/29.pdf](http://weis2007.econinfosec.org/papers/29.pdf)

The easy way, if you want to this sort of thing regularly, is to work for a
place that discovers zero day exploits. You'll get a salary/wage and benefits.
Here is a fun place to do that:
[http://advancedsecuritylabs.com/](http://advancedsecuritylabs.com/)

------
dsacco
This answer depends on your ethics and the nature of the security
vulnerability you've discovered. I'm going to leave out web application
vulnerabilities, because the vulnerability half-life, method of discovery and
supply/demand on those is entirely different. For those, check out bug
bounties. Let's go over your options:

 _1\. Responsible Disclosure:_

Do you have a privilege escalation, sandbox escape, remote code execution,
etc. vulnerability in a major browser (Internet Explorer, Chrome or Firefox),
a major operating system (Windows, OS X, Linux or Unix), a major mobile
operating system (iOS or Android), a major programming language (including but
not limited to Python, Ruby, PHP, etc.) or a major software
framework/library/platform (including but not limited to Django, OpenSSL,
Bash, Flash, etc.)? If not, is it somehow not on that list but impacts the
internet in a horrific way?

Good news, you can responsibly disclose directly to the Internet Bug Bounty
([https://internetbugbounty.org/](https://internetbugbounty.org/)) and claim a
five figure reward (or greater, theoretically). You can report to Google or
Microsoft if it's specific to one of them and they'll pay you directly. You
can also grab a neat CVE and enjoy extremely high employability and prestige
in the lucrative security industry.

If you have a vulnerability in the above list, this is basically the best game
theoretic way to go, in my opinion.

 _2\. Third-Party Disclosure:_

You can sell to a third party which promises to both reward you _and_ notify
the vendor, but you really don't know exactly what happens to the
vulnerability. This is kind of like the Zero Day Initiative, and others like
it. You'll probably fetch a price about comparable to legitimate disclosure,
but you'll probably be unable to publicly disclose that you found it as a
condition of payment, and you're not entirely in control of what happens.

This is more controversial. You won't be known for the finding, and even if
you somehow are, you won't be universally praised for it in the industry. A
lot of security researchers (myself included) fundamentally disagree with this
approach, but it probably won't be an obstacle to being hired. This is a good
route to go if you want to be paid for something that is legitimately serious
but which will not be honored through purely responsible disclosure (as a
term, not a moral judgment) because the vendor is hostile towards security
research.

 _3\. Outright Sale on the Black Market:_

This is pretty straightforward - find a broker such as Hacking Team and offer
to sell them a vulnerability you found. The upside here is that you will
receive a significantly higher payment than you would through legitimate
disclosure. For a vulnerability that allows code execution in iOS, for
example, you can expect about $500,000 from a broker. If you're looking for a
career as a blackhat, this is basically going to be the route you choose, and
it will be quite a lucrative one depending on your risk tolerance.

The downsides are powerful, however - if it becomes public that you sell
vulnerabilities on the blackmarket, that effectively labels you as a blackhat.
You will be a pariah in the security industry and your employability will drop
severely. The only way to stay employable at that point is to both publicly
decide to "turn sides" and to be so astonishingly skilled that people
basically have to tolerate your past activities. On the other hand, if it
never becomes public that you sell vulnerabilities on the black market, you
suffer from not being able to publicize quality security research that could
benefit your career.

I consider the best method of monetary gain to be finding several high value
vulnerabilities, responsibly disclosing them and becoming a solo security
consultant. This has more to do with ethics and risk tolerance than it does
with potential earnings - a legitimate security researcher will probably top
out at a half million or so per year (there are outliers). Conversely, someone
who is very good at breaking software and doesn't care about the morality of
the endeavor can top out at millions per year.

~~~
ryanlol
I'm quite curious as to where this $500k figure for an iOS hole is from.

Also, as someone who makes their living selling exploits I rather disagree on
your claim that selling vulnerabilities is something that would have you
labeled as a "pariah". I don't think I've ever seen that happen.

~~~
lawnchair_larry
Yeah, all of those numbers are out to lunch, and the "good vs evil" is
completely made up.

~~~
dsacco
The numbers are accurate. Browse through past payments to researchers
participating in the Internet Bug Bounty, Pwn2Own or Microsoft's mitigation
bypass bounty.

I don't have any good citation for the going rate for a high value
vulnerability on the black market, but if you look I'm sure you'll see it can
easily enter the mid six figure range.

As for "good vs evil" \- I never used those words. Morality is a word I used
because it provides a useful context against which to judge legitimacy. You
can fairly say it is unethical to sell vulnerabilities for the explicit
purpose of exploitation. I don't particularly care to color it this way; I
disagree with such actions but I still respect my fellow colleagues who do it.

~~~
lawnchair_larry
I'm familiar with those bounties, and they're galaxies out of the ranges
you're quoting.

------
turtles
If you have something now and you want to immediately get rid of it, the best
place to go is somewhere like ZDI. Eventually you'll make contacts with
legitimate companies though. I've met contacts through conferences or people I
know. Most people I know, wont buy from just anyone - since its risky for them
also.

Source: I did this for many years. Works out to be an awesome bonus on your
current day job!

------
mzjs
[https://hackerone.com](https://hackerone.com)?

