[shellcoder]

Reputation plays a big part in it on both sides. Most buys are not Zerodium and putting themselves out there as buyers. So, there is a certain degree of vouching that happens as someone introduces a buyer to a seller.

So, when either party violates the agreement, it reflects poorly on that person who made the introduction, making it harder for them to make those connections in the future. And, these introductions matters, most sellers don't want to just sell to anyone, there needs to be some trust that who you're selling to will be selling it to friendly governments or whatever. Its not like a craigslist ad where you sell to just anyone who answers.

So that acts as a deterrent on the buyer side. It'll be harder to get new sellers if you have a poor, or no reputation.

On the seller side, you're not going to get too many people willing to vouch for you as you start burning bridges by selling non-working exploits.

And on that, the payment scheme acts as a deterrent, like teh great-grandparent said:

> grey-market sales are valued on continuous access; you get paid over a period of time, and if the bug you sold dies, you stop getting paid.

That is, you might get XX Thousand upfront, and then an agreed upon XXX thousand based on the exploit surviving XX days.

So trying to scam the buyer will net you a small amount of the total at best, but I mean, often times they'll hold payment until its confirmed and contracts are written and signed over these sales too, its not under the table payments or anything for the most part. Legitimate business transactions.

So, I guess to sum it up, reputation and a demonstrated, or atleast vouched for past record. There is a lot of trust on both sides.

[tptacek]

What's interesting to me about this --- and I've got no firsthand knowledge of the markets --- is that Apple doesn't have to outbid brokers; a broker could offer 50% more than Apple, but that comes with an X% uncertainty penalty. You can sell to Apple and pocket $1MM, or try to structure a deal for $1.5MM and gamble that the bug will survive. I'm betting that's often not a good deal; the lump sum payment is the better option.

[shellcoder]

I completely agree, it i an enticing offer from Apple for the reason you lay out.

Not all brokers are alike though, exploit survival is a gamble, but sensible end-buyers usually don't want to burn the exploits either so will use them sensibly. There are some brokers that don't sell exclusively (despite their claims), they have a reputation for exploits getting burned early.

I have not been involved with any iOS exploits, not really my area of interest, but lets say I was. Would I consider selling it off to Apple, yeah, it would be something to consider. I'd consider the market rates too of course, 1MM vs 1.5MM, sure Apple is enticing, 1MM vs 2MM, maybe not. Not sure where I would actually draw a line, but you are right that Apple doesn't need to compete directly with the market rate, just close enough.

I'm sure there are those that would rather just go for the bigger profits regardless.

[onetimemanytime]

Plus nothing to stop Apple from offering $2Mil if the bug is really bad....er good.

[grugq]

Exactly