Hacker News new | comments | show | ask | jobs | submit login

Why do you "presume" that? Not all vulnerabilities are equally valuable, and the value for a vulnerability is not as straightforward as people here seem to think it is. Or at least, I don't think it is.



I use the word "presume" because I don't frequent black hat markets and I have no personal experience with current pricing. The general agreement I'm seeing in the comments (and anecdotes gathered elsewhere) is that exploits and vulnerabilities command a higher price when sold to black hats rather than responsibly disclosed through a bounty system. (Isn't this what the grandparent and article are implying?)

This makes sense economically to me. In order for it to be worthwhile for a vulnerability discoverer to sell the exploit, the reward should overcome the cost. In this case, the cost is the probability of getting caught multiplied by the severity of the punishment.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: