[MichaelBurge]

If you're not selling the exploits to Microsoft, where else do you sell them?

[awd]

https://zerodium.com/, the going rate for a full exploit there (and I assume, one that works quickly & leaves little trace, i.e. a high quality exploit, never dealt with them before) is 80k.

Under the old rules that's already 4x as much as MS, but the warm fuzzies made up for that I suppose. Under the new rules, 40x as much, and no warm fuzzies are worth that imo.

[rfd4sgmk8u]

Selling to Zerodium is not equivalent to getting a bounty from MSFT. Selling exploit code hurts people. Microsoft will patch the vuln to protect its customers. Selling exploits to Zerodium is very bad. Be a force for good in this world.

[MichaelBurge]

> Access to Zerodium Zero-Day Research Feed is highly restricted and is only available to a very limited number of eligible government institutions.

Sounds like they sell it to the NSA/CIA/FBI so it's used for "national security" and not ransomware worms.

[lobocinza]

Basically saving then the trouble.

[lobocinza]

Windows is not a force for good.

> Selling exploit code hurts people.

As providing backdoors for state agents like Microsoft and other companies do.

I'm ignorant on the matter but is Zerodium a black market? As far as I know they might be selling any exploits to the affected companies.

[rfd4sgmk8u]

The logic of business would imply that a vendor of exploit code is going to make significantly more money reselling the exploit than the author of the exploit code. 100k for an exploit to the author? The exploit vendor will sell it for millions. Who has deep pockets enough that they are willing to buy exploit code for millions? A software vendor can engineers for many years for this cost.

Yeah, I don't like windows either, but its not the point. Billions rely on the security of Windows today, our entire global economy is dependent on reliability of our information systems.

One either helps maintain the security of our systems globally, or they seek to disrupt it for a pay day. I get quite upset when people enter with the mindset of 'the actual vendor wont pay me enough, ill sell it to shady exploit market'. It is not a simple pay day.

[maccolgan]

It's Microsoft, the Steve Ballmer (also Teams) Company, they hurt people more than Zerodium can even think of.

[anamax]

If Microsoft doesn't care, why should he?

[bathtub365]

This way of thinking really reflects poorly on security professionals. They should care out of a sense of professional ethics or personal morals. Selling a bug to be fixed by a vendor or to be weaponized by one of Zerodium’s customers are not equivalent morally or ethically. They also aren’t the only two options: he could just sit on the bug. Someone else will likely discover it but he at least wouldn’t be complicit in the erosion of the security of the software ecosystem.

[anamax]

The security of Microsoft products is Microsoft's responsibility.

Microsoft seems uninterested in fulfilling that responsibility, therefore the responsible thing to do is to "motivate" Microsoft.

[bathtub365]

Let’s not pretend selling to private buyers is anything other than financially motivated. I don’t think security researchers who sell their vulnerabilities to private buyers are not acting to “motivate” Microsoft in a roundabout way. Even if we assume that is their motivation, such an arrangement is obviously unethical because vulnerabilities sold in this way are weaponized to do harm against others.