Hacker News new | ask | show | jobs
by skriticos2 607 days ago
Yea, legitimate with illegitimate is a weird kind of calculation, as the risk with illegitimate market is to end up in jail, and few people want to calculate the monetary value of lost time due to incareration and all the fallout that comes with it.

The more interesting question would be, if the bug bounty is enough to keep legitimate researchers engaged to investigate and document the threats. But..

The bug bounty itself is only a drop in the bucket for security companies, as it's a, unsteady and b, not enough to cover even trivial research environment cost.

Pratcially it's a nice monetary and reputation bonus (for having the name associated with the detection) in addition to the regular bussiness of providing baseline security intelligence, solutions and services to enterprises, which is what earns the regular paycheck.

Living from quests and bonties is more the realm of fantasy.
2 comments
ballenf 607 days ago
Is it actually illegal to sell an exploit to the highest bidder? Obviously deploying or using the exploit violates any number of laws.

From a speech perspective, if I discovered an exploit and wrote a paper explaining it, what law prevents me from selling that research?

link
kevindamm 607 days ago
(I'm not a lawyer but) I think that would involve you in the conspiracy to commit the cybercrime, if you developed the exploit and sold it to an entity that used it with wrongful intent.

https://www.law.cornell.edu/uscode/text/18/1029 gives the definition and penalties for committing fraud and/or unauthorized access, and it includes the development of such tools.

A lot of it includes the phrasing "with intent to defraud" so it may depend on whether the court can show you knew your highest bidder was going to use it in this way.

(apologies for citing US-centric law, I figured it was most relevant to the current discussion but things may vary by jurisdiction, though probably not by much)

link
z3phyr 607 days ago
You only risk prison if you sell it to the "bad guys" on the black market. Sell it to people who can jail the bad guys instead; that is, our governments.
link