> Can you conconct a scenario in which a hypothetical sabateur manages to weaponize and capitalize on an exploit in Facebook Ads Manager, or some random Uber server with sensitive data, within a week? Sure, but it’s contrived. The risk/reward ratio just isn’t really there.
Sure kill the credit cards who gives a fuck.
Knowing where uber users residents live, their standard time home on a friday or saturday night, whether or not they're throwing up with a chance on not remembering anything (I stole) would be fantastic. Oh, I could also sell this to anyone doing ANY datamining to easily enrich their data set.
This is 10 seconds worth of thought, do you really think the Uber data set has so little value?
> This is 10 seconds worth of thought, do you really think the Uber data set has so little value?
No. I’m saying that a vulnerability in Uber’s software has very little value.
More precisely, I’ve sold data (and analysis thereof) to the financial sector. I’ve even sold unique data on Uber and UberEats specifically (not gained through a security vulnerability). Data and vulnerabilities are distinct products with separate buyers. Companies interested in data like this are mostly interested in it being sourced, at worst, through scraping or mining. They’re usually skittish about outright vulnerabilities, and have a sense of how likely it is data was obtained in a legally defensible manner.
On the other hand, buyers of vulnerabilities are mostly not using them for interesting dataset acquisition. They weaponize the vulnerabilities themselves instead of buying any single output from a vulnerability, and they mostly use them for developing botnets or constructing online “holes” for identity and credit card harvesting on an ongoing basis.
The point of purchasing vulnerabilities is gaining a privileged position for ongoing compromise that replenishes for a reasonably long time. No one is saying these vulnerabilities are bad; I’m specifically telling you the vulnerabilities are not generally salable, because the parties interested in them have little to no overlap with the parties interested in data. Furthermore, those two markets have separate intentions, processes and risk/reward ratios.
A dataset and a vulnerability that can lead to a dataset are simply not comparable. I believe someone would probably be willing to purchase this particular data, but I do not believe you could weaponize this data on an open market with any regularity, and bug bounty programs would not take this into account when calibrating their payouts.
Finding an organization willing to buy a legally sourced, unique dataset is comparatively easy. So is finding an organization willing to buy a vulnerability that can be weaponized towards a significant number of servers on the internet. But finding an organization willing to buy a vulnerability just for its data value, or an organization willing to use illegally sourced data, is hard. Not impossible, but rarer than either of the other two examples. There is not a regular market for it.
Sure kill the credit cards who gives a fuck.
Knowing where uber users residents live, their standard time home on a friday or saturday night, whether or not they're throwing up with a chance on not remembering anything (I stole) would be fantastic. Oh, I could also sell this to anyone doing ANY datamining to easily enrich their data set.
This is 10 seconds worth of thought, do you really think the Uber data set has so little value?