top | item 20650766

(no title)

Rotdhizon | 6 years ago

I'd imagine this is to combat marketplaces like zerodium and the deep web. Traditionally grey hat hackers don't always go through bug bounty programs because the pay is awful compared to what you can get through less ethical sources. By flexing that much cash at bug hunters, they are potentially now offering even more than what you could get on the mentioned markets. The only reason people go underground to sell exploits is for the money. Take away that variable and suddenly there's no reason to sell exploits to bad actors, just sell them straight to the source at Apple and get a fat paycheck.

discuss

xkcd-sucks|6 years ago

On these marketplaces, how do people demonstrate PoC without giving away the intellectual property? Or is it unproven and completely reputation based

shellcoder|6 years ago

Reputation plays a big part in it on both sides. Most buys are not Zerodium and putting themselves out there as buyers. So, there is a certain degree of vouching that happens as someone introduces a buyer to a seller.

So, when either party violates the agreement, it reflects poorly on that person who made the introduction, making it harder for them to make those connections in the future. And, these introductions matters, most sellers don't want to just sell to anyone, there needs to be some trust that who you're selling to will be selling it to friendly governments or whatever. Its not like a craigslist ad where you sell to just anyone who answers.

So that acts as a deterrent on the buyer side. It'll be harder to get new sellers if you have a poor, or no reputation.

On the seller side, you're not going to get too many people willing to vouch for you as you start burning bridges by selling non-working exploits.

And on that, the payment scheme acts as a deterrent, like teh great-grandparent said:

> grey-market sales are valued on continuous access; you get paid over a period of time, and if the bug you sold dies, you stop getting paid.

That is, you might get XX Thousand upfront, and then an agreed upon XXX thousand based on the exploit surviving XX days.

So trying to scam the buyer will net you a small amount of the total at best, but I mean, often times they'll hold payment until its confirmed and contracts are written and signed over these sales too, its not under the table payments or anything for the most part. Legitimate business transactions.

So, I guess to sum it up, reputation and a demonstrated, or atleast vouched for past record. There is a lot of trust on both sides.

stuartd|6 years ago

I can imagine it being pretty easy.

Hacker: I have a no user-interaction RCE

Apple: ok yeah

Hacker: gimme a phone number

Apple: here you go

Hacker: …

iPhone: I am pwned

Apple: ok lets do the deal

jakobegger|6 years ago

I imagine that a remote exploit should be pretty easy to demonstrate without giving away how you did it?

lbatx|6 years ago

>The only reason people go underground to sell exploits is for the money.

Not reputation? Not the thrill of it? Not hatred of Apple? Not plain maliciousness?

izzydata|6 years ago

Some amount of money will likely be able to buyout those reasons, but that isn't guaranteed and all of those reasons are still reasons.

FrozenTuna|6 years ago

I don't know anyone who hates apple that much. This way, you still get the reputation and thrill. The only people left are malicious actors, like state sponsored attacks.

auiya|6 years ago

> I'd imagine this is to combat marketplaces like Zerodium

Zerodium already pays double what Apple does. Where's the incentive?

esmi|6 years ago

There is no question on the legality of accepting money from Apple. Accepting money from Zerodium comes with some risk for some people.

https://law.stackexchange.com/questions/502/is-it-legal-to-s...