[tptacek]

That vulnerability does not sell for 10x on "the black market".

* It fits into nobody's existing operational framework (no crime syndicate has a UI with a button labeled "read files off Google's prod servers")

* A single patch run by a single organization kills it entirely

* The odds of anyone, having extended access and pivoted into Google's data center, keeping that access is zero.

I'm not an authority on how much the black market values dumb web vulnerabilities but my guess on a black market price tag for this bug is "significantly less than Google paid".

Later: I asked a friend. "An XXE in a single property? Worthless. And at Google? Worth money to Google. Worth nothing to anybody else."

[meowface]

Exactly. Unless this could somehow be pivoted into write access, with the ability to modify server responses to clients (for phishing or installing malware), no black hat would care about this.

[flylib]

"dumb web vulnerabilities" that have huge implications could fetch a pretty penny for sure

[tptacek]

No, they can't. Read the inverse of my bulleted list to see what makes money:

* Bugs that fit readily into operational frameworks (ie: it would be reasonable to have a UI with a button invoking that bug and/or any of the 15 other bugs like it)

* Bugs that can't be killed with a single patch cycle by a single entity

* Bugs that provide long-term access, or access that is unlikely to get your entire syndicate caught

Example of a potentially lucrative web bug: bug in Wordpress.

Example of a bug unlikely to be lucrative: "read any Facebook server file".

I know that sounds crazy and backwards, but I don't think it is.

[theboss]

I think you two disagree on what a "dumb web vulnerability" is.