Hacker News new | past | comments | ask | show | jobs | submit login

I suspect most whitehat researchers would be happier to report this vulnerability and make a nice legal reward, then delve into a black hat market for selling a vulnerability. Seems pretty win-win in this case.



Unless your name is Kevin Mitnick. Then you set up a business and play middlemen in selling them to anybody who wants to pony up for it.

"When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

http://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-...


How is this legal?


Because he's selling to governments, who operate under the "it's not illegal when we do it" principle.


What if it's the Chinese government that's buying, would it suddenly turn illegal?


Why wouldn't it be? Someone looks at a program that they bought and paid for, and sees that it has a mistake. They didn't write the software or put the mistake there. How can it be a crime for them to become aware of behavior in someone else's program?

Attacking others who use the software is an entirely different story of course.


By reporting the problem to the owner you should assume that it might get fixed before you'll manage to sell it to other interested parties.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: