[tedivm]

There are legitimate companies that buy exploits, not just ones that are on the dark web and pay in bitcoin.

Just with a quick check I found Zerodium, which claims to offer bounties up to $2.5 million. They say their clients are "government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities."

https://zerodium.com/

[wavemode]

At the same time, it's likely that Google's (along with most companies) VRP are not actually trying to compete on price with government exploit purchasers. If such an institution is trying to get into someone's Gmail account, they will probably find a way anyhow. And if they do need a certain exploit to do it, they have infinite funds to just keep upping the price they offer.

It's pretty much "Mossad/Not Mossad" threat modeling: https://philsrandomblathering.quora.com/The-Mossad-Not-Mossa...

[doe_eyes]

No one paying you $2.5 million for exclusive access to an exploit is planning to do anything even remotely "legitimate".

On a good day, you might be selling to the CIA and helping catch bin Laden. On a bad day, you're selling to the Saudis and getting a journalist killed. I bet that "mainly" is doing a lot of heavy lifting in that sentence - plus, "Europe" includes Albania, Belarus, portions of Turkey, and more.

[hobo_in_library]

On a worse day, you're selling to Israel and getting a 6 year old girl's jaw blown off

[tedivm]

I meant legitimate in the sense that you won't go to jail, and you'll get an I9 for your taxes. I did not mean it as ethical, and I definitely agree with what you're saying there.

[teractiveodular]

"Legitimate" in the limited sense that you can invoice them for cybersecurity consulting, they'll pay you in fiat, and you can report this income to the tax office.