|
|
|
|
|
|
by dopamean
3627 days ago
|
|
|
I don't know much about it tbh. tptacek and a few others have spoken extensively about bug bounties on HN. I'll try and dig up a few of their past comments. Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug. Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly. If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments... |
|
|
You'd need to be very well connected to be able to get good value out of an exploit. There could very well be people that are. Hackers in leather dusters travelling the world exchanging thumb drives in shady third world bars, sounds cool as hell, in fact I hope there are people living that life just because it makes reality that little bit more interesting. But your average pen tester isn't that.
Whenever i see the "better value on the black market" crowd show up here I'm actually reminded of a, Jim Jefferies I think, bit about the black market not meaning you can just head down to the docks at night going "GUNS. I WANT TO BUY A GUN".