[0cf8612b2e1e]

What is the legality of selling an exploit? Are you free and clear, or can you be tagged with enabling a future crime? Would they need to be able to trace a specific incident back to your exploit or get you on a catch-all law?

Bugs are found all the time. Sharing a bug you found is not a crime, but I imagine they can always get you on tax fraud.

[bink]

There are quite a few "legit" exploit resellers who will gladly pay millions for exploits and report the income to the IRS. They seem to do fine legally so long as their primary customers are govt or quasi-govt agencies. Now, if you decided to sell to an embargoed country I'm sure they'd suddenly declare the exploits munitions and try to lock you up for a long time.

[doe_eyes]

There's no specific law against selling exploits. The problem is the subsequent crime - and if someone wants to pay you a lot of money for a 0-day in Google, it's hard to come up with an explanation other than that they're about to commit a crime.

So, if you knew or should have known, then feigning ignorance won't save you and you won't ba having a good time.

[yieldcrv]

Selling exploits isn’t subject to criminal sanctions

There are no issues reporting the income on tax filings