Most firms are unwilling to invest any sort of money into security for their customers (this includes preventing breaches and having a sufficiently enticing bug bounty program). Third-party private firms are an arbiter that puts pressure on those same companies to invest more into their security or face the risk of serious PR problems.
>Say a company buys and sells insider trading information... Would it be legal? So why is buying/selling 0 days OK?
Insider trading is a Victorian-esque and arbitrary law. The same way sports ban PEDs under the guise of "fairness" (when in reality everyone uses steroids and PEDs, and most everyone does insider trading) so too do these outdated laws do nothing but put the SEC on a moral high-ground and bolster the tax bucket.
>Both are selling information that will be used wrongly in the wrong hands, the kind of information you don't want a "broker" to know about, the kind of information you don't want a broker to find clients for.
May be used wrongly. Zerodium is a grey hat distributor. They can sell to the companies themselves, domestic and foreign governments, or terrorists. The first three can be used for good (and it could be argued so could the terrorists if their idealogies converge with some oppressed opinions among a populace). It's not 100% and it's likely, but "good" comes out of it.
>And if there's only one potential buyer (the target), they're basically black mailing 0 days targets: "become a client or... who knows what will happen... maybe the NSA or hackers will buy it?"
In a perfect world, you shouldn't have to have a coal tax and companies would care about the environment, but we don't live in this world. We live in a world where the only that matters is asset value, and good security is rarely seen as increasing asset value (only stopping asset decreation from scandals).
I know this is a popular belief, and there are certainly some outright violations in the industry, and then a whole host of activities that carefully toe this line, by and large it's just not true. Most hedge funds and active managers underperform their benchmarks. I've spent my whole career in hedge funds and seen far more clueless money losing portfolio managers than mischievous insider traders...
Most firms DO invest (lots of) money into security for their customers, bounty programs were not invented by Zerodium.
Brokers like Zerodium will inflate the price of 0 days, for sure. Maybe this will be an incentive for 0 days researchers to dig deeper. At least they'll be richer. But maybe it will cause more harm than good: it's a market place for exploits, and Zerodium will look like a 0day Wallmart to hackers.
"They can sell to the companies themselves, domestic and foreign governments, or terrorists": I consider the only ethical option is the first one.
If you're really concerned about security for consumers, can you tell me how you're trusting "domestic and foreign governments, or terrorists" to protect your security when they're buying exploits?
They're buying exploits, holes in security: they don't buy you more security, it's the exact opposite.
I'm sure companies are much more concerned about security for their customers than any other actor. Why would a third party want access to exploits if not to defeat the security put in place by the company?
0 days researching is essential to plug holes, not to punch holes. Only the target can plug holes, the other "customers" only want to punch holes.
>Say a company buys and sells insider trading information... Would it be legal? So why is buying/selling 0 days OK?
Insider trading is a Victorian-esque and arbitrary law. The same way sports ban PEDs under the guise of "fairness" (when in reality everyone uses steroids and PEDs, and most everyone does insider trading) so too do these outdated laws do nothing but put the SEC on a moral high-ground and bolster the tax bucket.
>Both are selling information that will be used wrongly in the wrong hands, the kind of information you don't want a "broker" to know about, the kind of information you don't want a broker to find clients for.
May be used wrongly. Zerodium is a grey hat distributor. They can sell to the companies themselves, domestic and foreign governments, or terrorists. The first three can be used for good (and it could be argued so could the terrorists if their idealogies converge with some oppressed opinions among a populace). It's not 100% and it's likely, but "good" comes out of it.
>And if there's only one potential buyer (the target), they're basically black mailing 0 days targets: "become a client or... who knows what will happen... maybe the NSA or hackers will buy it?"
In a perfect world, you shouldn't have to have a coal tax and companies would care about the environment, but we don't live in this world. We live in a world where the only that matters is asset value, and good security is rarely seen as increasing asset value (only stopping asset decreation from scandals).