[outime]

I haven't said anything about black markets but:

>You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money

Not me, not you, but many people make it all about money. I don't think it's ridiculous to think that people can have absolutely zero ethics.

[oskarsv]

Sure, absolutely they exist. But in my opinion they are the absolute minority. I've been in security for long enough to know that most people are good, otherwise we'd have major problems every day.

99% of people saying something about black markets or govt agencies have never really faced this decision or thought about it for more than 5 minutes. So it was a question - have you REALLY thought about it?

[klyrs]

I'd hypothesize that people are more willing to entertain the profiteering fantasy when they aren't realistically facing the consequences. Also, that people are more willing to be jerks under cloak of anonymity. As you note, perhaps only 1% of people with the drive to find these sploits are going to do something bad with them. That means the extra volume is folks who wish they had such a product to sell on the black market are just jealous wannabes. You can ignore them.

[SXX]

I haven't done any security research for decade, but it was my hobby long ago. While it's not true in every case sometimes finding worthy bug and then successfully exploiting it can literally take weeks of work. Like 14 hours a day work with break for sleep in attempt to solve some puzzle. Usually without any payoff.

This is profession where your actual skills mean very little until you do something exceptional to have portfolio or become famous some other way. It's very easy to talk about ethics for people who live in western countries and have easy access to well-paid jobs, but a lot of people didn't have such options.

I don't try to justify actual criminals here, but don't be surprised when people sell 0-days to some Israeli companies or NSA-contractors.

[oskarsv]

I don't live in a 'western country' nor do I make anything near a Silicon Valley salary

[SXX]

Then I can just state huge respect to your moral standards and hope you getting paid well enough to continue doing what you do.

There still are a lot of people who are not gonna be okay with said situation for long. Anyone can get more cynical and cruel / indifferent with age due to bad experiences: not getting paid well for reported issues, being cheated or getting into legal trouble for "doing the right thing". Some of us really love security research and want to make it their profession, but it's really easy to end up both without stable income or in some kind of trouble.

So I think it's important to raise awareness about it in developer community since many people don't understand how much effort is going into being white hat. It's just like the story with OpenSSL before Heartbleed: half of the world used software, but there wasn't even enough funding to pay properly even for single developer.