Answer the question
In order to leave comments, you need to log in
How much will the vulnerability cost?
Let me have information about a vulnerability like heartbleed, only better (for example, which will allow you to get a secret key in 100% of attacks).
How much can it be sold for and to whom?
I mean an office like the FSB / NSA / some kind of Chinese intelligence service or some kind of foundation / company like EFF / Google; the black market option is not interesting. And is it possible to do it yourself or will you have to contact intermediaries like zerodium?
PS. Reliable information about the sale (with links) is preferable to personal opinions.
Answer the question
In order to leave comments, you need to log in
The price will vary from $13,337 in the case of Google (unless they decide to shower generously with a payment of π hundreds of thousands of dollars, for example) to a check for the cost of treating the consequences of thermorectal cryptanalysis (based on the fact that you ask similar questions here, then it is in this way, the secret services will "pay for" the vulnerability).
A successfully sold vulnerability will cost you up to 7 years in prison according to Art. 272 of the Criminal Code of the Russian Federation.
Heartbleed is a potentially more serious vulnerability than just obtaining a secret key, because allows you to steal any data from the server's memory.
Access to the secret key only allows you to carry out MitM attacks and bypass certificate pinning, but in the presence of Forward Secrecy - only active in real time with certificate substitution, i.e. it is impossible to decode data during passive wiretapping or restore previously transmitted and intercepted data, even with access to the key.
The amounts of payments for such vulnerabilities are determined by the real impact of the vulnerability (under what settings it actually works and what services it affects), the current demand for this impact, and the ability to bargain, and on which market they are sold - white, gray or black, and can be very individual, from tens of thousands to millions of dollars. $15,000 was paid for Heartbleed as a reward https://hackerone.com/reports/6626 - but the reporter had no goal of making money, and even this money went to a charitable foundation.
The office itself, who has this vulnerability.
They are the most interested.
Price - how you bargain (or more precisely - depending on how much you can convince them of seriousness).
But in fact it will be like mine:
Hackers wrote to my client who hacked (really) the site.
They asked for money for information.
The client contacted me.
He financed the creation of a new website for me from scratch.
Thanks to people like you.
Not a penny was paid to the hackers.
I got all the money.
The truth and information about the vulnerability was not needed for me to work.
Google can and will succeed in driving - if this is of course a really valuable vulnerability. And the rest - they will come and take it away for free
The payment for a found vulnerability is usually called "bounty" or "bug bounty":
PS Before you contact the "tough guys", soberly assess your risks .
If you are a white hat, you can make a name for yourself on this vulnerability by demonstrating the POC, turning it in to the developers of this vulnerable software, and going to conferences. Naturally, it will be possible to disclose details only after the vulnerability is closed. Although they may demand non-disclosure, and even put them in jail .
If it is money that interests you, and you want more of it, then it’s probably better on the darknet.
If the company participates in bugbounty programs - study the conditions, scope, everything is described including the reward prices.
In the absence of such events, and the lack of information on the site itself, try to discuss this issue with people close to the it or dev department through available communication channels.
Links to bugbounty are described by other people to this question.
As for expectation/reality.
First of all, the provision of PoC, a well-written report, and at least taking into account the conditions, in the case of a bounty, use h1 services, etc., since, first of all, the service acts as a guarantor between researchers and vendors.
In fact, bug reports are flooded with dozens of reports every day in large companies. The fact, far from everything is considered, an even greater fact, only those that are actually constructively described and provide serious consequences are paid, and then to the best of the overall "picture".
Specifically on the question asked, yes, the vulnerability is serious. But in the case of discussing this issue without a guarantor service, any hint of ssl / hb / memory dump will make it clear what the problem is, and it will not be difficult to find it, and to be honest, I would hardly call it "found "vulnerability. I think on the merits of the issue, you can evaluate the initial level of competence, and stupidly scan for the "luck" of the ports. Only found HB does not mean that everything is so successful. Try to carry out at least some actions that can lead to more serious consequences than a couple of pairs of cookies, perhaps not even authorized users.
I would appreciate such a report for the maximum thank you. I don't think you should count on more. Even more so, taking the black market, you will be forced to provide information about the product. And you will give a vulnerability for free, and to hide the type of vulnerability and since a large vendor, link or brand name, somehow before receiving funds, the chances are about hundredths of zero%.
And besides, you can lead to all this not very good consequences, even turning to the vendor directly. You have words, they have logs. Not words will steer)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question