Hacker News new | past | comments | ask | show | jobs | submit login

This also seems backwards to me? If you can get RCE or privilege escalation on a server, isn't that much worse? Or is it the difference in purpose between targets/adversaries? E.g., a server side vulnerability maybe you get to dump a companies records but something like no-click jailbreak + a high value individual => all their personal information?

Or else, why do buyers want clients?




It should now be starting to click that the extant markets for vulnerabilities don't value "severity" (or any other abstract scale message board nerds want to apply to vulnerabilities), but merely utility.

The hypothesis I like to come back to --- I'm pretty sure it's true --- is that vulnerabilities have value on the black market only if they fit into an existing business model, such that they can be dropped in and immediately be used to make money. People have to already be using some other vulnerability to do the exact same thing, and reliably making money with it.

People on HN like to tell stories about how a master criminal could make money with everything from Facebook CSRFs to serverside RCEs. But none of those kinds of exploits support current ongoing business concerns; they're all one-of-a-kind. Nobody buys a vulnerability speculatively to see if they might make a go of it --- they especially don't do that for a vulnerability that could be extinguished universally in moments by Google or Facebook's security team.


Aren't we seeing lots instances of the server-side model playing out? e.g., Company XYZ announces they've been breached and leaked XXX million user's data?

I could see an argument here towards the market price of the information -- breaching a company in the above scenario might get you zilch. Breaking an iOS device of an individual of interest gets you a lot of value.

Circling back though -- you're saying that this model isn't one in use. Do you agree with my real-life counterpoint? If so, why wouldn't there be a market? Or, is the market there and the low payouts from the likes of Zerodium reflect the actual low value of the product (and by extension, business model)?


There isn't a "low" payout on Zerodium for these bugs; there is no payout for them. Zerodium explicitly will not buy bugs in individual websites. Every vulnerability Zerodium will buy has a half-life.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: