No, they can't. Read the inverse of my bulleted list to see what makes money:
* Bugs that fit readily into operational frameworks (ie: it would be reasonable to have a UI with a button invoking that bug and/or any of the 15 other bugs like it)
* Bugs that can't be killed with a single patch cycle by a single entity
* Bugs that provide long-term access, or access that is unlikely to get your entire syndicate caught
Example of a potentially lucrative web bug: bug in Wordpress.
Example of a bug unlikely to be lucrative: "read any Facebook server file".
I know that sounds crazy and backwards, but I don't think it is.
* Bugs that fit readily into operational frameworks (ie: it would be reasonable to have a UI with a button invoking that bug and/or any of the 15 other bugs like it)
* Bugs that can't be killed with a single patch cycle by a single entity
* Bugs that provide long-term access, or access that is unlikely to get your entire syndicate caught
Example of a potentially lucrative web bug: bug in Wordpress.
Example of a bug unlikely to be lucrative: "read any Facebook server file".
I know that sounds crazy and backwards, but I don't think it is.