[doix]

So morality aside, I imagine dealing with large amounts of money that you can't explain the origin of isn't simple.

You can't just do a bank transfer, so you're probably getting paid on crypto. Converting the crypto to fiat will probably be a pain. All the reputable exchanges have KYC requirements. You'd have to explain how you came to acquire so much crypto.

I guess you could get paid in a suitcase of cash, that has it's own headaches.

Personally, I'm just picturing so many headaches that even if I wasn't morally against selling it to the highest bidder, it doesn't feel worth it. Selling to some other "proper" corporate entity or a government agency seems reasonable, but are they offering more than Google?

[tedivm]

There are legitimate companies that buy exploits, not just ones that are on the dark web and pay in bitcoin.

Just with a quick check I found Zerodium, which claims to offer bounties up to $2.5 million. They say their clients are "government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities."

https://zerodium.com/

[wavemode]

At the same time, it's likely that Google's (along with most companies) VRP are not actually trying to compete on price with government exploit purchasers. If such an institution is trying to get into someone's Gmail account, they will probably find a way anyhow. And if they do need a certain exploit to do it, they have infinite funds to just keep upping the price they offer.

It's pretty much "Mossad/Not Mossad" threat modeling: https://philsrandomblathering.quora.com/The-Mossad-Not-Mossa...

[doe_eyes]

No one paying you $2.5 million for exclusive access to an exploit is planning to do anything even remotely "legitimate".

On a good day, you might be selling to the CIA and helping catch bin Laden. On a bad day, you're selling to the Saudis and getting a journalist killed. I bet that "mainly" is doing a lot of heavy lifting in that sentence - plus, "Europe" includes Albania, Belarus, portions of Turkey, and more.

[hobo_in_library]

On a worse day, you're selling to Israel and getting a 6 year old girl's jaw blown off

[tedivm]

I meant legitimate in the sense that you won't go to jail, and you'll get an I9 for your taxes. I did not mean it as ethical, and I definitely agree with what you're saying there.

[teractiveodular]

"Legitimate" in the limited sense that you can invoice them for cybersecurity consulting, they'll pay you in fiat, and you can report this income to the tax office.

[tkz1312]

There is a thriving “grey” market for vulnerabilities, where brokers buy vulns and sell them on to e.g. intelligence agencies. This is well established and unlikely to cause much legal difficulty for the bug finder.