Hacker News new | past | comments | ask | show | jobs | submit login

Imagine the knowledge of a 0day (and how to fix it) as being the cure for a disease. Picture what withholding it would look like. In this year, if ever, people should realize how crazy dangerous and irresponsible this kind of behavior would seem if it happened to not be done with software.

So here's an idea: improve security by stopping the hoarding of 0days.

Built a company that buys 0days and doesn't immediately turn around to get them fixed? Too bad, this is a business model that leeches off everyone's insecurity and now deemed unethical like so many other seemingly-genius business plans. If you're that good, go find a different thing to do with your time.

Note that this applies to states too: in my book they're welcome to buy/incentivize 0day info, but only to then get stuff fixed ASAP. Any state that keeps a 0day "just in case" is failing to protect (among others) its own citizens.

This won't really work. Many governments and intelligence agencies will pay an extreme premium for 0days and basically hoard them for future use. How do you stop the CIA or NSA from buying 0days? How do you prevent foreign governments or actors from buying them?

The ability to inflict massive damage to a nations infrastructure is now part of modern weaponry. It's akin to asking militaries to stop buying weapons. We have basically split the atom here, we aren't going back.

If you don't want people hacking into your systems you need to go full Galactica, disabling networks and have stopgap measures on every critical device.

There's a great book that talks about this ecosystem (of buying bugs, vulnerabilities, and other 0days), among other cyber security related things:

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race


are there any companies hoarding 0days? I know the CIA does, but asking for ethical behavior from them seems like such a long-shot that it would make sense to decouple it from more achievable goals.

Zerodium is probably the most well known, but many Israeli cyber security firms will also buy them, hacking team out of Italy would. There are plenty of buyers but their customers are government so you don't really hear of them.

wow, I had never heard of them. what a sick business model. I guess in a world of 7 billion people, there's going to be someone willing to fill any niche.


I will only agree with you after exploits are declared to be munitions

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact