[acdha]

Try thinking through other comparisons to understand the difference: if I find a bug in the power grid, how do I cash out? There aren’t many buyers, it’s really hard to move a lot of cash without getting caught, and if I use any other electronic system I have to pay a ton of money to get help laundering it because the risks are so high. Criminal outfits in Asia play games trying to get gift cards or things like that but it’s hard to scale and a lot of their dupes here get caught.

Contrast that with cryptocurrency where a bunch of VC money pumped up a market for you to launder the proceeds and the protocols are intentionally designed not to have antifraud protections. Ransomware was possible a decade earlier but the profitability went up massively once it became easy to launder millions rather than hundreds of dollars.

[tptacek]

I have a general rule of exploit sales which nobody has shot me down on yet and I'm increasingly confident about: people are buying non-speculative outcomes. Every dorm room conversation about vulnerability valuation inevitably veers into speculation about what bank-shot outcomes a buyer might hope to achieve with a purchase. The reality is that unless the buyer is getting exactly an outcome they already planned (and, usually, have already repeatably achieved), they're not interested. Exploits have to slot into existing business processes.

This explains reliable, stealthy, zero-interaction full-chain iOS vulnerabilities, which fit into every intelligence, military, and law enforcement business process pin-compatibly. It explains browser vulnerabilities and ATO vectors.

And it also approximates the market for blockchain vulnerabilities: if the exploit is "literally transfer untraceable cash from victims to buyer", lots and lots of criminal organizations already have that business process; you probably simplify their existing repeatable process.

Blockchain vulnerabilities thus have a very credible market. As bonus: the work of discovering and POC'ing these vulnerabilities may be gnarly, but the engineering required to exploit them at scale probably isn't. It doesn't take months of R&D to make the exploit "reliable", it generates straight cash until it dies (and probably has a half-life measured in minutes), and so on.

Every lucrative class of vulnerability has some kind of story like this; they all fit into some existing, very clearly stated demand.

We get into trouble trying to generalize. All the markets are very specific; they're all sui generis. Most vulnerabilities are worth zero. There are mobile OS RCEs that are probably worth zero!

[acdha]

That’s a really good way to think about it. Having been security-adjacent for a long time, I definitely remember the reactions of dread which some of the earlier big vulnerabilities in things like OpenSSL got, which were never exploited at the feared scale, and that’s well explained by your theory: the NSA isn’t interested in every phone in a country, and a lot of unsexy vulnerabilities like WordPress exploits are going to be more widely attacked because people know how to make money with ad/affiliate spam, SEO, etc.