I have not and I haven't been looking for one either.
I'm not quite sure what you're getting at here. If you're trying to point out that I haven't done my homework on this and that I don't have a sufficiently specific/workable plan how to approach it - that is accurate. I don't have exploits to sell.
In my previous comment I already stated the assumption that I made, if you feel it's incorrect, which clearly you do, feel free to correct/fill in whatever you think is missing. I'm not getting into a debate about something with which I don't have in-depth experience with someone who does.
Sorry, I'm interested in anyone's response to this, since the HN community reaction to any price paid in a bug bounty by a big company always seems to be "people can make more money on the black market". Rather than recapitulating all the previous debates about why that's not true, I'm interested in seeing someone --- doesn't have to be you --- work their way to an educated guess at a black market price for a bug like this one.
I think a lot of HN'ers believe that there's a market for high-severity bugs of any ilk, when, in reality, there's really only a liquid market for a pretty specific subset of those bugs.
I understand. I did in fact believe that this applies to any highest reward RCE vulnerability, thanks for pointing out that this may not be the case.
As for the black market price - I don't consider my security background sufficient for my guess to be anywhere near educated enough, so I'm bowing out.
Hah. As soon as I saw your initial setup I knew it was Wargames. The only winning move is not to play. I think you are right. When you add in all of the conditions required to sell a bug like this it becomes obvious (to me) that Google is offering more than you can get anywhere else without a lot of effort and or risk on the sellers part.
And not to spoil the game, but the subset of vulns that fetch good money has only narrowed in the last years as exploit mitigation has improved. The true unicorn 0days of yesteryear are almost always multiple hard earned bugs these days. Bugs in one vendor's project, even Google, it is cool they have such a high end reward, let alone 36k. Unless you crossed a line and exfiltrated data (high risk), I can't imagine getting this much money anywhere else.
Amusingly, 36k does look very similar to ~3wks of boutique infosec consulting, though, so for Google the price while generous probably makes sense.
Why to vendors pay bug bounties, if not to defend against financially motivated attackers? To defend against "digital vandals" who would damage systems but not profit from them? To defend against widespread grassroots attacks if an attack is published publicly?
I think there's a trust problem with that. How do you arrange the transaction? If I offer to sell you a zero-day for X BTC or something, how do you know that my zero-day is real and exploitable, and that I will actually give it to you and nobody else? How do I know you will actually send me the BTC? How do I demo it in a way that at least proves that it works without giving away enough info to recreate it?
I guess Zerodium has enough reputation that you can be reasonably sure they'll fork over the cash after you show them your bug. Building that kind of reputation on the darknet with cryptocurrency isn't going to be easy. If there was anyone like that out there, we'd already know about them.
