Hacker News new | past | comments | ask | show | jobs | submit login

I'm genuinely curious about this. If you ask for black-market rate compensations for disclosing a vulnerability, how is that not extortion? "Pay me this sum or I / someone will use this against you." seems to be what you are suggesting.



I think you're looking at this from not quite the perspective I'm taking. I'm not saying that any individual is going to go "Pay me this or I will attack you. No that's not enough. I want $X". That is extortion of course.

I'm looking at it from the perspective of the market economics. Reward programs are about incentivizing people to do responsible disclosure. If the market (i.e. the black market here) pays significantly higher for an exploit then a reasonable company will try to reflect their payout to match what the "market" has valued that exploit to be worth. This way someone who would otherwise have sold on the black market may be incentivized to do responsible disclosure instead (significant payout, maybe not as high but 100% legal & no legal risk). It's all about shifting the incentives and structure before people even make any decision. I think it's silly that companies get dinged that responsible disclosure programs don't pay out at the same rate as the black market. There's a legal risk element their not factoring into the math. But it should be roughly comparable (my uneducated gut check is within ~20%).

Think of it like drugs. Marijuana on the black market is cheaper. People still opt to buy legal marijuana even though it's slightly more expensive because it's safer, legal, & vendors are accountable to their customers & community. If the cost grows too large then the black market starts to grow again (e.g. cigarettes are a notorious example of this due to taxation as an attempted lever to kill it).


It's very different than selling drugs. This bug's only value is for someone to use it in order to defraud someone else, and that's clear to understand. They are both illegal, but the two actions are not morally equivalent to most people.


The black market does not outbid bounties for this kind of bug.


Good to know. Is there some resource you use to track this kind of stuff?


Nothing super authoritative; mostly from talking to people who've done it. But: there's Maor Schwartz's excellent Black Hat talk from last year:

https://i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Sellin...

And you can always look at things like the Zerodium Price List. I don't know that it's taken very seriously in its particulars, but the general structure of it mirrors what I've heard from other sources.

You'll notice on the Zerodium list that they will pay for serverside RCE in web apps --- but only a particular kind of web app: the kind that is deployed in lots of places. National IC agencies will, for instance, pay for phpBB RCE, because they have targets that use phpBB, and there are lots of phpBB's (when you hear people talking about how valuable a web bug is, ask yourself whether that person has mentioned the weird market for phpBB bugs --- something I've had firsthand [refused!] experience with). What you won't see are bugs in SAAS applications. Again, the reason is that a phpBB vulnerability has a half-life: everyone has to install the patch once it's burned.

I have no evidence for what I'm about to say here, so take it with a grain of salt:

I assume you can get paid for a vulnerability even as esoteric as this Slack ATO bug. But you'll get paid for people who are buying Slack accounts, not Slack bugs. That is: you'll have to be the one exploiting it, and you'll be making one-off deals to use it to get targeted accounts. People sell all kinds of accounts; it would not surprise me even a little to hear that there was a market for company Slack accounts.

But to participate in that market, you'd almost certainly have to directly enter a criminal conspiracy. You wouldn't be selling a bug to a market; you'd be participating.


There's definitely a bunch of cottage industry opportunities for crooks in this space, yes, if you are morally flexible and either can't be extradited to the victim's country or are confident of your OpSec.

For me the plausible deniability stops at something like the firm we hired (years ago, they were subsequently bought by CSID which was in turn purchased by another of my employers because it's a small world and apparently some people have unbounded appetite for risk) which steals credentials from people who steal credentials.

I can just about imagine sleeping after doing that all day. Because at least some of the time, indirectly, and after somebody gets paid, you're helping. It'd be like working in insurance sales. Your employer creams a profit off misery, but arguably the misery would be worse without them, maybe.

But any of these "Well I could get more money from bad guys" arguments miss in my opinion the most important constraint which is that most people don't want to work for the bad guys. Peanut farmer or crook is an easy question for most of us.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: