[tptacek]

What was the half-life on that vulnerability? From the moment Lastpass wrote whatever the fix was to the point at which attackers can no longer exploit it afresh, how much time elapses? If it's a serverside fix, so that the number is something like "a day or so while it's deployed", that's your answer about why nobody is outbidding Lastpass for this bug.

[pydry]

I rather thought it was honesty that kept it from being bid on by bad guys. Even if they wouldn't bid more it's a big risk to pay so low.

It's kind of a treasure trove to be able to read all passwords from a user of lastpass simply by showing them a website.

It made me think that the next zero day on lastpass would probably be sold to someone else.

[tptacek]

Who would buy it? That's the question I'm asking.

[pydry]

Scammers, fraudsters, governments

[tptacek]

Tell a story about the "scammer" or "fraudster" that buys this. What do they do with it? What do they win, how many times do they win it, and with what likelihood of success? How much work goes into realizing value from the vulnerability before they get their first dollar, or whatever it is they're getting? Is that work already done, or do they have to do it speculatively on this one vulnerability?

Reason your way through it all the way, and you'll see why real vulnerabilities sold on darker markets are paid in tranches, and why nobody pays real money for one-off serversides.