|
|
|
|
|
|
by tptacek
497 days ago
|
|
|
It is not intrinsically a crime to sell a bug, but if you sell a bug and it can be demonstrated you reasonably knew the buyer was going to use it to commit a crime, you will end up with accessory liability to that crime. Selling vulnerabilities is not risk-free. This is another reason why the distinction between well-worn markets (like Chrome RCEs) and ad-hoc markets is so important; there's a huge amount of plausible deniability built into the existing markets. Most sellers aren't selling to the ultimate users of the vulnerabilities, but to brokers. There aren't brokers for these Youtube vulnerabilities. |
|
|