[4ad]

Just $10k?

This sells for at least 10 times more on the black market. Why would one rationally chose to "sell" this to google instead of the black market.

Some people don't break the law because they are afraid to get caught, but I like to believe that most people don't break the law because of the moral aspect. To me at least, selling this on the black market poses no moral questions, so, leaving aside "I'm afraid to get caught", why would one not sell this on the black market? Simple economic analysis.

Very serious question.

[tptacek]

That vulnerability does not sell for 10x on "the black market".

* It fits into nobody's existing operational framework (no crime syndicate has a UI with a button labeled "read files off Google's prod servers")

* A single patch run by a single organization kills it entirely

* The odds of anyone, having extended access and pivoted into Google's data center, keeping that access is zero.

I'm not an authority on how much the black market values dumb web vulnerabilities but my guess on a black market price tag for this bug is "significantly less than Google paid".

Later: I asked a friend. "An XXE in a single property? Worthless. And at Google? Worth money to Google. Worth nothing to anybody else."

[meowface]

Exactly. Unless this could somehow be pivoted into write access, with the ability to modify server responses to clients (for phishing or installing malware), no black hat would care about this.

[flylib]

"dumb web vulnerabilities" that have huge implications could fetch a pretty penny for sure

[tptacek]

No, they can't. Read the inverse of my bulleted list to see what makes money:

* Bugs that fit readily into operational frameworks (ie: it would be reasonable to have a UI with a button invoking that bug and/or any of the 15 other bugs like it)

* Bugs that can't be killed with a single patch cycle by a single entity

* Bugs that provide long-term access, or access that is unlikely to get your entire syndicate caught

Example of a potentially lucrative web bug: bug in Wordpress.

Example of a bug unlikely to be lucrative: "read any Facebook server file".

I know that sounds crazy and backwards, but I don't think it is.

[theboss]

I think you two disagree on what a "dumb web vulnerability" is.

[mixmax]

If you want to look at it rationally you have to factor in the risks you are taking by selling it on the black market. These risk include:

- How will you whitewash the money? Alternatively how will you spend them on the black market? You can't buy houses, cars or stocks with black money.

- Will you get paid? - Secure anonymous payments that are guaranteed are not trivial. I don't know if there are escrow services for the black market, but this is definitely risky. We are talking about shady actors after all.

- Will you get caught? If do you will probably end up in prison.

When you take the above in to consideration I think most people would prefer $10.000 legitimate US dollars without risk to $100.000 that might end up giving you ten years behind bars.

[laichzeit0]

Bitcoin would be the preferable way to get payed in this situation.

[pbhjpbhj]

How would you escrow it so that you can be sure to actually get the funds? Sure they're not going to pay up front and it would be over-trusting to give a crack away on the promise of later funds, so ...

[peterwwillis]

Your word is incredibly important for criminal enterprises. If you fuck someone over and somebody finds out, nobody will ever do business with you again (besides the whole 'getting shot' thing). Escrow services (by way of a middle-man you both trust) are only necessary for really big jobs. In general you pay first and get your goods once payment is confirmed.

[pbhjpbhj]

I can see that working in meatspace but here we're talking about selling an idea on the web - the buyer is very unlikely to be able to track you so they're unlikely to front the money.

Suppose you found a bug, couldn't cash it in with Google because of where you live and so were selling it on. The buyer won't release the funds, would you really give up the goods? Even with an escrow, proving the transfer and performing the transaction with minimum risk seems problematic to me.

[flylib]

- the buyer is very unlikely to be able to track you

the buyer will probably be easily able to track you, if they are paying 100k for hacks on the black market, they would have the resources to find you easily

[laichzeit0]

That's not really a problem specific to Bitcoin only. I've seen Bitcoin Escrow services but I'm not sure which ones are trust worthy.

[pbhjpbhj]

No, indeed I wasn't pitching that as a problem with BTC - just in general how can you ensure a secret transaction will go through. You'd need a trusted escrow, a trusted escrow would probably need to have a business address [and other things] for you to trust them ... but that means they'd be registered to handle money in all likelihood and that means records of your transaction that law enforcement could eventually get hold of?

[peterwwillis]

Anyone who sells on the black market already knows the answers to these. Malware, botnet and black market security researchers also know all the answers to these. Let's just say that in general, it is actually trivial to launder money from black market transactions, as long as you don't get the attention of the feds and you stick to non-US markets.

[josephagoss]

They made $10k plus a huge amount of free advertisement for their company and services (security). I reckon this release alone will earn them far more than your estimated $90k difference.

Mind you, your point is certainly valid if this were a random hacker type.

[alternize]

very good advertisement indeed - i haven't heard about their service until today, and am now giving it a try.

[blauwbilgorgel]

If you donate to charity, Google will match your donation. You can buy a smile on your face for the rest of your life, knowing your exploit build a school in Africa.

If you manage to sell this on the black market, that money is worth half when turned into "legit" money that you can spend. If we leave aside "I'm afraid to get caught" do we mean "caught by the justice system"? What would happen if you sell your exploit to some cybermob and a few days later, some monkey on a typewriter, finds your exact exploit and publishes it online? Not your problem it is worthless now and some mob feels you sold them crappy gear?

As for the moral aspect. Think of anyone you hold in high regard, or have a loving relationship with. Selling an exploit that will be used for harm, might mean harm to those you hold dear.

Then there is this simmering thing in your subconsciousness. Some know how to put out that fire. Others wake up in a sweat years later, after a dream where their exploit is used to find and execute a political dissident. That is: You may very well come to regret a "bad" deed in the future, when your situations and responsibilities change. You won't lie on your death bed and think: "I wish I hadn't build that school, but taken the money and put a down-payment on my new bathroom."

[muyuu]

You have a very strange sense of morality, IMO. I refrain to inflict damage to others for personal gain, it's really that simple to me. Other questions are complicated and conflicting, but this is quite clear cut to me.

[danbruc]

[...] why would one not sell this on the black market?

Because it is wrong to harm others for personal benefit?

[Fuxy]

I agree with you however companies are completely the void of morality their only purpose is profit and they will hire shady lawyers to interpret the law in their favor fire people without giving it a second thought or collude with other big companies to keep their employees wages low so why would i treat them differently.

In business morality is a luxury that some companies can't afford and most choose not to have so it shouldn't be expected.

The only thing preventing you from selling it on the black market is the potential fame and business you may get by being able to reveal your find which may or may not be worth it.

That 10k is not really much of an incentive from a business perspective.

[lotsofmangos]

companies are completely the void of morality their only purpose is profit

Companies are groups of people and have many different purposes. I understand being worried about the rise in corporate oligarchy, but your argument is itself the attitude you are accusing companies of. The problem isn't companies being immoral, but people rationalising behaviour that they know to be immoral.

[Fuxy]

That's probably because i treat them the same way they treat me.

Their attitude makes sense and sometimes it's actually necessary for a companies/entities survival.

We all face hard choices between what's moral and what's best for our own survival the only difference is companies put any amount of small profit over morality not just survival.

I don't make the rules i just play the game.

[lotsofmangos]

Are you a bot with a database of platitudes?

[coldtea]

>I agree with you however companies are completely the void of morality their only purpose is profit and they will hire shady lawyers to interpret the law in their favor fire people without giving it a second thought or collude with other big companies to keep their employees wages low so why would i treat them differently.

Perhaps, but even so, when you sell a vulnerability to the "black market" you don't just harm Google. You also harm people the vulnerability will be used against (to fish their credit card details, compromise their servers, etc).

(Perhaps in this case, for technical reasons you can only harm Google with this thing, not sure. But still, talking in general).

[danbruc]

I would never consider selling it on the black market. That others are lacking moral principles is not a justification to go the same route.

[bambax]

I don't agree with you that "selling this on the black market poses no moral questions"; this gives access to Google's production servers, which can really harm Google in very bad ways. Unless Google has done specific very bad things to you and you want retribution, why would you do that to them?

But I agree with you that $10,000 doesn't sound like much, for such an exploit, and for a company like Google.

Edit: corrected typo "$10" -> $10k.

[paulgb]

It's $10,000, not $10. Detectify is based in Europe where they use . to group digits.

[bambax]

Yeah, it was a typo; I meant $10k, which does seem quite low, no?

[tripzilch]

1. Because you'll be dealing with organized criminals, which is dangerous and brings problems beyond the mere possibility of getting caught.

2. I'm assuming your basis for "no moral questions" is because you'd be hurting Google, which is a corporation, not a human, and can therefore be treated with a different set of moral values. (If this assumption is incorrect you need to clarify.) However, selling this exploit on the black market may very well be leveraged to affect a lot more people than just Google. People that will be phished, scammed and extorted. That (I hope) does pose moral questions, doesn't it?

The problem is, you can't sell an exploit on the black market on the condition that it may only be used to (say) "steal from the rich and incorporated".

3. Finally, $100k earned on the black market is not worth the same as if it was legitimate, because it is very hard to spend. I can imagine that a process of white-washing could easily knock 50% off the value, as well as taking a lot of time and effort. Then you got $50k, which is already a lot closer to $10k.

[snowwrestler]

How does selling an exploit to criminals not pose a moral question?

[darkarmani]

> To me at least, selling this on the black market poses no moral questions

That's probably a reflection of your own morals. There are millions of people that could be affected by this bug, so I'm not sure how there isn't a moral question here.

[raverbashing]

"Why would one rationally chose to "sell" this to google instead of the black market."

Exactly because of that. One is legal the other is not

[Noxchi]

Your economic model does not take into consideration the value of recognition, which is a very high motivator, often more important than money.

If they sold it on the black market, they couldn't brag to anyone that they hacked google.

[outworlder]

I fear that your economic analysis is way too simple.

You should include damage to the company's reputation, should this get leaked. Specially since they work with security - and who would trust their security to people who sell vulnerabilities to the highest bidder?

This could cost than much more than your quote.

[borplk]

The purpose of the bounty prize is not to outbid or compete with the criminals.

[rplnt]

Maybe this weird and obsolete service was run on a small subset of servers that is not really worth that much. I would assume your journey would end up right there at that one (or n of the same) machine.

[frozenport]

You are a scumbag, but the math is right. You would need to discover 10 of these a year to make a living wage in SF - maybe 50 if you are a team of 5. They should pay what they pay their engineers.

[cookiecaper]

Maybe I just read it wrong but it sounds like Google made an opening offer and the security group felt it was sufficient and decided to take it instead of negotiating. Maybe I'm wrong and they'd already given the details and Google was just trying to keep them happy and provide some cash for what otherwise would've been a Good Samaritan, open-source contributor type of report.

As long as Google is willing to negotiate, I don't see a problem with a group being satisfied with 10k and taking it.

[sirdarckcat]

Hi!

Bounties are always awarded after the bug is disclosed[1].

We constantly[2] upgrade the bounties whenever we feel like we should be paying more, and we will continue to do so. We also increase the rewards from the amounts in the price list if we think they result in a higher impact than what the reporter originally suspected.

We aren't actually trying to out-pay the black market. Overall, our goal is to reward the security community for their time and help for their security research, since we both have the same goal in common of keeping all of us safe (either Google services, or open source/popular software[3]).

And if you are interested, you can follow news on Google's VRP here: - https://plus.google.com/communities/103663928590757646624

[1] http://www.google.com/about/appsecurity/reward-program/ [2] - http://googleonlinesecurity.blogspot.com/2010/11/quick-updat... - http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w... - http://googleonlinesecurity.blogspot.com/2012/02/celebrating... - http://googleonlinesecurity.blogspot.com/2012/04/spurring-mo... - http://googleonlinesecurity.blogspot.com/2013/08/security-re... - http://googleonlinesecurity.blogspot.com/2013/06/increased-r... - http://googleonlinesecurity.blogspot.com/2014/02/security-re... [3] - http://googleonlinesecurity.blogspot.com/2007/10/auditing-op... - http://googleonlinesecurity.blogspot.com/2011/08/fuzzing-at-... - http://googleonlinesecurity.blogspot.com/2013/10/going-beyon... - http://googleonlinesecurity.blogspot.com/2013/11/even-more-p... - http://googleonlinesecurity.blogspot.com/2014/01/ffmpeg-and-... - http://www.google.com/about/appsecurity/research/

[bitJericho]

You're right Google should pay out 100k for all exploits turned in.

[meric]

Perceived chance of being caught * cost of punishment.

[teemo_cute]

Because they are a legitimate company that sells security services.