Don't underestimate the value of money that's guaranteed instead of a hypothetical possibility, now instead of maybe sometime, yours free and clear instead of legally dodgy, that you can boast to friends and future potential employers about instead of hiding as a shameful secret.

I agree, except I'm pretty sure Facebook and other bug bounty programs don't guarantee payment.

True, but they usually do by the time they say that you will be paid.

I think the argument that a black market sale of an exploit won't necessarily be as clear cut is still valid.

What's the marketplace like?

On the seller side, how easy is it to actually get paid? There's no point in trying to sell exploits if you're just going to get cheated, get busted selling to some sort of undercover law enforcement, or just go to a lot of trouble for not a lot of payoff.

From a buyer perspective, you need to have a way to verify an exploit, or else you're just buying a pig in a poke. And you need a way to monetize the exploit, or some other motivation. And you really have no way to know how long your exploit will remain functional.

(Or, you know, people could be basically good.)

Easy. All the sting operation has to do is make it clear to the seller what the "buyer" "intends" to do with the bug. It doesn't even have to be overt: they could simply say "we are looking to pay $10,000 for a bug that would enable us to download all the private photographs from Justin Bieber's Facebook account".

It depends on the information.

This only applies to the US, as the laws are probably difference elsewhere. The CFAA[1] is a very vague and broad law that aims to stop people from accessing systems, sending malicious data, etc. It is intentionally written in such a way to be forgiving to the victim since security is hard by default [citation needed]. So even if you found an exploit without using it yourself, you'll probably be charged with aiding and abetting or something similar.

[1]: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

If you exchange money for an exploit that you know will be used to commit a specific crime, you are an accessory to that crime. The CFAA doesn't have much to do with it.

Selling exploits in general is not that legally risky†. Prosecutors have to prove mens rea at trial, beyond a reasonable doubt. People sell bugs to anonymous marketplaces all the time.

The question isn't whether selling Facebook bugs to the black market is itself illegal. It's whether the DOJ could set up a sting to capitalize on the greed of people who would do that. Yes, they could.

† It's not not legally risky, either, especially in the case of bugs like these, where you've been given permission to attack Facebook's servers only in conjunction with their bounty program --- your civil liability to a website that doesn't run a bounty, if you sold a bug you found in their site and it was used in some way to harm them, could be astronomical.

I see you around HN all the time. Clicked your profile.

> Formerly: founder @ Matasano

Neat! Matasano is what got me into crypto - though my pursuit has since been limited.

Indeed, it is I, Sardo Numspaa!

I'm glad you liked the crypto stuff we did!

GP is not talking about just sharing. This is selling information for monetary gain. The buyer of which is also attempting to profit from it.

>> "Still, I don't understand why more people don't sell the exploits to the highest bidder. It seems counter intuitive to me."

The same reasons people don't steal from shops or commit other crimes:

1. Morals

2. Risk of getting caught and subsequent punishment

3. Nobody wants to buy Facebook bugs besides Facebook.

Yes, this particular class of bug isn't all that useful. If someone started using the exploit it wouldn't be long before a user complained that their comments were being deleted and then Facebook would figure it out in a hurry.

I see. So, the business plan here is: outbid Facebook to buy the rights to arrange the commission of, what, tens of thousands of felonies, in order to secure a marginal benefit for a competitor to the world's most popular photo sharing application, where those rights expire instantaneously as soon as one of the best security teams on the planet notices what's happening.

Sounds great. Where do I invest?

Yes, Facebook has one of the best security teams on the planet.

No, nobody is going to invest in this scheme.

haha you can't be serious right? I am sorry but I honestly found that amusing. Like Instagram engineers scratching their heads as to why comments are disappearing while there's an up-rise of users and then someone finally decides to create a secure alternative and is upheld as the savior.

Realistically though if this an were to become big enough to promote an alternative then Instagram would be all over it and thus fix it within minutes.

"Weird, some of my comments disappeared. Well, I guess it's time to completely reboot my social media profile on a new service!"

- no one, ever

Don't underestimate the professional value of disclosing a vulnerability to the company And I don't solely Mean the value of the publicity and the exposure of being public about the disclosure. The security community is surprisingly small. Getting a one off splash story in a rag like Business Insider is nothing compared to building a back and forth with Someone like Alex Stamos.

He's 10. Who is he going to sell this to? $10,000 is probably a gigantic amount of money to him.

its a lot money to most people.

Of course, but it might be worth $100-200k if sold to a third party.

Edit: looks like I was wrong!

No, it would be worth much less than $10,000 to anyone else.

There is a specific kind of bug that is worth 6 figures on the black market: clientside remote code execution. Somehow, HN has gotten the impression that the going rate for the hardest bugs in the world to reliably weaponize is actually the going rate for all bugs everywhere.

So you're saying client-side remote code execution bugs are the hardest to reliably weaponize? Do I understand correctly? I figured those bugs would be the easiest to weaponize.

We mean different things, and it's me being imprecise. Substitute "generate" for "weaponize".

If you had this exploit, how would you have monetized it? Do you know who to talk to? Do you know where to go on the darkweb to find the people who know the people who have the money to actually pay you for this? Do you know how to negotiate with them to actually guarantee payment? Do you know how much an exploit which can only delete content -- not generate false content, or access ACL'd content -- is actually worth?

Long story short, companies offer guaranteed set-size rewards as a counterpoint to the black market's potential highly variant payouts.

Companies like Facebook offer rewards as an incentive to get people to report bugs to them rather than to blog posts. The next highest bidder anywhere in the world for bugs like these is ε.

I know, right? $10,000! Facebook is worth billions! Think what the black market might pay for a bug that would delete any Instagram comment!

> I know, right? $10,000! Facebook is worth billions!

But is causing monetary loss to Facebook, specifically, worth much to anybody? Anybody who would take the risk of committing a crime to do so?

This bug deletes content on Instagram. Unless you are the most underhanded of Instagram competitors, or just want to cause wanton Instagram picture destruction, I don't see why you as a third party would pay for it. Also, since I assume FB has backups, this is at most a relatively sophisticated DOS attack. Now, if you could insert data then you have stage 1 of a APT deployment platform, which is a whole other story.

Also, you underestimate the lifetime potential earnings won of "I discovered an attack on one of the 2-3 most popular internet platforms on earth at 13 and practiced textbook responsible disclosure with it". Beyond that, selling bugs to the highest bidder is very hard to justify, ethically speaking, and a lot of people put a high price on their integrity.

Previous commenters on HN have thought differently https://news.ycombinator.com/item?id=10795785 ;)

It is the same commentator. It appears in this most recent comment he neglected to add a sarcasm indicator.

you missed the ;) at the end of my message :D

Indeed I did.

There are no Facebook vulnerabilities that have a value any higher than what Facebook is going to pay for them.

If Facebook was sending t-shirts instead of writing 4-5 figure checks, these discussions would be more interesting. But that's not what Facebook does.

Put it this way: before Facebook started these bounty programs, what do you think the price sheet for Facebook bugs on the "black market" looked like?

Well the NSA tapped into Google's internal datacenter traffic to steal user information. So some vulnerabilities like that might be useful to them.

https://cms-images.idgesg.net/images/article/2014/06/googles...

I'm having trouble connecting your first sentence to your second. It sounds a little like saying "so, the US army has M109 Howitzers, so maybe they'd be interested in this 3D-printed zip gun I just made."

If I find a wallet on the ground, I try to return it to the owner even if there's no reward and even if I'm not legally obligated to do so. I'd want someone who finds my wallet to do the same.

A bird in the hand is better than two in the bush.

People do. There is an entire underground markets for exploits, hacked user databases/emails, Amazon AWS keys etc.