Everyone is sitting on a java 0day now. They have lost a lot of value in the market since there is literally as much supply as demand. I keep reading CVEs waiting for the one I have to be discovered by someone.
I have a friend who tells me that good (windows) zero days, with remote execution, are worth about $50K on the market that transacts these things, with a contract to increase that value if their is no open disclosure. I.E. If your zero day remains a zero day for another six months, there is an opportunity to see further reward.
I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.
I also don't understand why people give good zero days away for free, if is really the case that there is a market in these types of properties. Anybody have actual insight into this?
Maybe because they don't want people's computers to be abused by people with lots of cash to spare? One can only assume they're getting more than $50k worth of value from the zero day, so something pretty dodgy must be going on
>I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.
According to this article: 3rd party middlemen, small security firms and large defense contractors are the ones paying for 0-days. There's also has a nice price list for Chrome, IOS, etc.
$50k sounds like a lot, but if you can weather the current storm of every firm and researcher digging into Java and finding all the low hanging fruit, it could be worth $300k+ when nobody else has an undisclosed Java vulnerability.
Usually the way it works is 6 monthly payments, so you get a wire for $8,500 every month that it is not disclosed.
You're assuming that they have to make their living 'hacking'. If instead they have an oil well in the back yard providing a steady paycheck (I live in Texas, and know people just like this), they have plenty time for non-profit endeavors.
"I also don't understand why people give good zero days away for free..."
Quite some hackers are a really special (in a good way) kind of people who are in it only for the intellectual challenge.
Now food for thoughts:
Rudyard Kipling once warned students against an over-concern for money, position or glory, he said: “Some day you will meet a man who cares for none of these things. Then you will know how poor you are..."
