[Intermernet]

I'm interested, and I'm sure I'm not alone. This isn't easily researched information, and it would be nice to have a list of organisations to put on my boycott list. These companies should be named and shamed. They have no positive influence on the world. If they disclosed instead of exploited the vulnerabilities they have knowledge of, they would improve the security of most of the world's population. Instead, they profit from the insecurity of the population. This is criminal behaviour and should be treated as such.

[akerl_]

You'd boycott these companies, that you don't know who they are? It's not much of a boycott to stop doing business with companies you already aren't doing business with.

[Intermernet]

How do I know if I'm doing business with them if I don't know what services they offer. Years ago I ended up providing services to a company that was involved in morally questionable activities. When I discovered the extent of those activities I stopped providing services. That company was the GEO group.

[tptacek]

You're not doing business with any of them.

[Intermernet]

See, once again, that's interesting. Especially how you can be so sure of that.

I hate to tell you, but companies like the ones you allude to are incredibly interesting. They're also probably very immoral, and should be known by people who have an interest in infosec.

[akerl_]

The companies that sell this kind of product aren’t doing it as a side hustle. It’s not like “oh, well yea, Atlassian mostly sell Jira but also they have a team farming viable iPhone data extraction vulns.”

If you were working with one of these companies, you’d know it because it’s their primary/only product/focus.

[Intermernet]

Which is still interesting. I'm not sure why people won't name these companies. tptacek says it's not interesting, but that's pretty obviously not true. Why won't people name these companies? If they're so insulated from normal commerce, and so specialised that they only provide these services, it shouldn't really matter if anyone knew who they were. They're companies. Unless they're obviously engaged in actually illegal activities (which they may well be, but it's currently not possible for me to determine that) they shouldn't be taboo to discuss. I find it weird that people want to claim "oh yeah, they definitely exist, trust me bro, they're all really secretive, but also totally legit" but they won't mention any names.

I can only assume that there are actually some industry or professional repercussions for disclosing any specifics, because otherwise the only other logical explanation for such tight lipped discussion is that people are somewhat afraid to talk about these companies.

Also, Google, Apple, Microsoft, Meta probably have some of the most respected vulnerability research labs in the world. They, despite their many and varied other flaws, tend not to weaponise and profit from said research. I mean, they might, but they also do a pretty good job of actively and responsibly publishing this research.

[tptacek]

Are you a security agency for some sovereign state in the world? Then you already know who they are. Otherwise: you're not a customer.