undefined | Better HN

0 pointsdopamean9y ago0 comments

I don't know much about it tbh. tptacek and a few others have spoken extensively about bug bounties on HN. I'll try and dig up a few of their past comments.

Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug.

Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly.

If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments...

0 comments

Trundle9y ago

What's more is there can't really be an established "market" for a unique exploit. If a product isn't being regularly traded then there's no easily findable pool of buyers. There's also no ongoing/repeat business which outside of contract law (and even for plenty of business conducted under contract) is all there is to keep people honest.

You'd need to be very well connected to be able to get good value out of an exploit. There could very well be people that are. Hackers in leather dusters travelling the world exchanging thumb drives in shady third world bars, sounds cool as hell, in fact I hope there are people living that life just because it makes reality that little bit more interesting. But your average pen tester isn't that.

Whenever i see the "better value on the black market" crowd show up here I'm actually reminded of a, Jim Jefferies I think, bit about the black market not meaning you can just head down to the docks at night going "GUNS. I WANT TO BUY A GUN".

awqrre9y ago

> [...] that company will likely patch the bug very quickly.

I have heard many instances where it isn't the case (some bugs are often being exploited for months before the company finds out)... and you probably did too... but anyways, as an example, you don't need a lot of time to copy lots of data...

j / k navigate · click thread line to collapse