[doe_eyes]

It's also easier than "gray market" sales. Bug bounties pay for a wider variety of bugs, including plenty of stuff that's of no interest to your perhaps-Saudi buyers; and they don't require you to develop a weaponized exploit - "hey, I noticed this crashes" is often enough.

Plus, less risk of waking up and finding out you've been sanctioned by OFAC or something like that.

[Ozzie_osman]

curious why Saudi? Are they known to be prolific buyers of vulnerabilities?

[doe_eyes]

They're rich, don't hold civil liberties in high esteem, and don't have a lot of in-house expertise. So, yeah - along with some neighboring states, they're a buyer for tools they use to target journalists, dissidents, etc.

China and Russia are on the same boat, but they are far more capable with in-house tech.

[Ozzie_osman]

OK i see, re-reading this with your top level post is "not all vulnerabilities are the type that could be bought by (insert state actor)", which makes sense (for some reason I thought you meant that they were buying the type of bugs that would end up getting reported to a BBP, but I just misread the original comment).

And yes the Saudis definitely bought software from NSO Group but it's also been used by plenty of other governments, including half the EU...

[borski]

Also, just to be clear - the US gov buys tons of zerodays.

[shortsunblack]

NSA banking EternalBlue was the reason for Wannacry ransomware proliferation, which killed people due to downtime of hospital systems.

[3np]

perhaps-Saudi-prob-Israel.

(Israel is known to be prolific; many brokers and the whole industry on all sides has a lot of people and entities from Israel. Saudi is publically obv active due to stories like MSB pwning Bezos over Whatsapp)

[pizzalife]

Yes, they used a WhatsApp 0day in the murder of Khashoggi.