Whats the reason to even participate in most bug bounties for serious shit like this knowing you could get 10-100x more submitting to Zerodium? Is it the hope of getting on some 'hall of fame' which might land a job offer?
Like, If I found a exploit for something random like skype/slack/etc.. that let you run code on any targets machine with zero interaction, there is zero chance my first stop would be the bug bounty program. For serious exploits, I believe you can get up to 2 million bucks with zerodium. Just seems like a no brainer.
Now that said, I would definitely use the bug bounty program for boring/low impact stuff like XSS and whatnot that has limited value/impact as nobody else would likely ever buy it for that much higher of a price.
Maybe some people are ethically against selling to an organization that then resells the zero day to governments instead of, you know, fixing the problem.
I consider myself an ethical person and I’d have a tough time ignoring the potential for $1 million dollars. After taxes I could buy a really nice house for cash and have enough money left over to drive a new car for the rest of my life.
One option is life changing and the “ethical” side might not pay enough to buy a gaming PC. Meanwhile the executives at the companies that claim security research needs ethics are making millions of dollars selling insecure apps. It’s like a church asking poor people to tithe IMO.
I actually think it would be better if there were no laws regarding the sale of security exploits. Everything should go onto an anonymous marketplace and the companies that have affected products should have to pair fair market value for bug discoveries.
Skimping on security and guilting researchers into being ethical is a total scam.
Sounds like maybe you shouldn’t consider yourself an ethical person. Otherwise, if you’re involved in enough startups, you’ll eventually be in the position where have to ignore the potential for insider trading to make you a million (or several) and it doesn’t sound like you’d be able to.
Those aren't even close to the same thing though. One is illegal and the other, selling to a company like Zerodium, isn't. The ethical objection I have is that you lose control over how that exploit is used if you sell it to someone like Zerodium and I think it's better for users and the general public if bugs are disclosed directly to software makers.
However, the idea that security researchers are guilted into "being ethical" while the (rich) executives for massive, multi-billion dollar tech companies are saving money on security, plus skimping on paying security researchers fair value when bugs are discovered, frustrates me.
It's hypocritical for big tech to expect "ethical" behavior from security researchers when it's a lot closer to "let us take advantage of you" IMO. If it becomes a debate about ethics, I think every time an exploit is sold to a company like Zerodium it's primarily the fault of the tech companies that are exploiting security researchers.
No, that's perfectly ethical compared to betraying the company that employes you, because:
* The money otherwise goes to the pockets of completely-useless C-suites.
* The exploit is likely out anyway.
* Nation state actors may indeed prevent yet another 9/11 attack. In worst case they don't use it to spread ransomware.
Wow, https://zerodium.com/program.html literally places router RCE at the bottom. I mean I never trusted my home router router vendors but this is like an ice cold shower.
In a previous life we customised some router firmware of a linksys router. One of the many issues I found was the password validation logic was `validatePassword(password) || password == "password"` via shodan I could see many of these devices with remote admin (login) enabled and avalable on the internet. The overall code quality was easily the wost I have seen in a project.
Then those researchers need to stop complaining when they get screwed over by Big Corp. I'm definitely not saying that the researchers shouldn't be rewarded appropriately, but we've seen countless times that, even with official bounty programs, these companies don't care about the researcher at all.
If someone still wants to put in all the work, that's great, submit the vuln and reap the good karma but they shouldn't expect more, even if the org they're reporting it to promises otherwise.
One should never stop complaining about bad things. It is important that everyone knows it and is reminded of it regularly. Especially now that it seems to be common knowledge that Microsoft got rid of their bad past with Ballmer and is now one of the good ones with their great new "Microsoft <3 Open Source" approach.
So Zerodium claims their customers are mainly government organisations. I find it amusing and sad. Wouldn't be more efficient to just force vendors to implement backdoors? Why maintain a lie, that citizens enjoy privacy and vendors are required to keep their data safe? Why the charade?
Like, If I found a exploit for something random like skype/slack/etc.. that let you run code on any targets machine with zero interaction, there is zero chance my first stop would be the bug bounty program. For serious exploits, I believe you can get up to 2 million bucks with zerodium. Just seems like a no brainer.
Now that said, I would definitely use the bug bounty program for boring/low impact stuff like XSS and whatnot that has limited value/impact as nobody else would likely ever buy it for that much higher of a price.