Hacker News new | comments | show | ask | jobs | submit login

> Who is paying drastically more for website flaws?

Black hat markets, presumably. At least that is the point being made by commenters here. Granted, selling the vulnerability is illegal and immoral, but that doesn't stop it from happening. The 'market rate' for vulnerabilities seems to be higher than what Facebook and Google are paying out.

Why do you "presume" that? Not all vulnerabilities are equally valuable, and the value for a vulnerability is not as straightforward as people here seem to think it is. Or at least, I don't think it is.

I use the word "presume" because I don't frequent black hat markets and I have no personal experience with current pricing. The general agreement I'm seeing in the comments (and anecdotes gathered elsewhere) is that exploits and vulnerabilities command a higher price when sold to black hats rather than responsibly disclosed through a bounty system. (Isn't this what the grandparent and article are implying?)

This makes sense economically to me. In order for it to be worthwhile for a vulnerability discoverer to sell the exploit, the reward should overcome the cost. In this case, the cost is the probability of getting caught multiplied by the severity of the punishment.

> Granted, selling the vulnerability is illegal

Really? That's exactly what you're doing with Facebook - selling a vulnerability to them, which they then pay you for. So, disclosing to some third party ought also to be fine. The morality or otherwise is up to you though, I guess...

EDIT - I just read @tptacek's reply below. I guess that selling to known criminals, with the knowledge they would use the exploit to commit a crime, _is_ going to be illegal most places.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact