[paulmd]

that is, unfortunately, not at all how the bug-bounty market works. Apple (or any other tech company) can't outbid three-letter-agencies, certainly not on a regular basis. Open market value is at least 10x higher than companies will pay directly.

Apple will pay a million bucks? Fine, NSA TAO will pay $10m. Apple can't pay $10m or $100m a bug on a regular basis, for the customers whom this matters the check is basically blank, as much as it takes.

[bjt]

How does one contact the NSA TAO and offer to sell a zero-day?

[Thorrez]

> We pay big bounties

https://zerodium.com/

>One person who will share those sales numbers is a South African hacker who goes by the name “the Grugq” and lives in Bangkok. For just over a year the Grugq has been supplementing his salary as a security researcher by acting as a broker for high-end exploits, connecting his hacker friends with buyers among his government contacts. He says he takes a 15% commission on sales and is on track to earn more than $1 million from the deals this year. “I refuse to deal with anything below mid-five-figures these days,” he says. In December of last year alone he earned $250,000 from his government buyers. “The end-of-year budget burnout was awesome.”

https://www.forbes.com/sites/andygreenberg/2012/03/21/meet-t...

[marvin]

For those who figure this is a great way to monetize their security skills and actually have the chops to do it:

It should probably be pointed out that once you do this, you’re in the weapons industry. Your work will likely be used, directly or indirectly, to put a bomb through someone’s roof or put them in prison for a very long time. Make sure you’re okay with the ethics of it.

[cutemonster]

Getting rid of people who want democracy

[qazpot]

> It should probably be pointed out that once you do this, you’re in the weapons industry. Your work will likely be used, directly or indirectly, to put a bomb through someone’s roof or put them in prison for a very long time. Make sure you’re okay with the ethics of it.

By this logic, americans should stop using cars at all, cause all that oil is coming from middle east, saudi arabia.

[marvin]

What? This does not follow at all. You’re implying that any degree of involvement in activities that have negative consequences is equivalent. That’s incorrect!

[nradov]

American cars mostly run on gasoline from domestic and Canadian sources. Very little comes from Saudi Arabia.

[tptacek]

One doesn't, I don't think; I think one sells to one of several grey-market brokers who in turn sell to DOD. But I think it's more productive to substitute "the IC" for "NSA TAO", because there are several countries (on the "sort of legitimate" side of this market) buying. All of them can pull any plausible amount of cash for a vulnerability out of their couch cushions (then again, so can small countries).