[tptacek]

Simply selling vulnerabilities isn't criminal (it's a bit of a grey area, but if I didn't have ethical issues with the practice, it's so far onto the "safe" edge of the spectrum that I'd be fine with assuming the risk.)

Selling vulnerabilities to people you know to be criminals, or to people a prosecutor can convince a jury a reasonable person would have known to be criminal, probably is a crime.

[josh2600]

Joe Sullivan, Director of Security at Facebook said publicly during the SF New Tech Security event this Wednesday that Facebook purchased the Java 0Day run in their training exercise[1]. I guarantee that 0Day was more than $5000.

[1]http://arstechnica.com/security/2013/02/at-facebook-zero-day...

[tptacek]

It may have been, it may not have been (we don't know the terms), but it was a clientside driveby RCE, not a web app bug.