Hacker News new | past | comments | ask | show | jobs | submit login

That's only true if you have no way to be put in (financial) risk by the vulnerability you're not disclosing to Apple.



If you're a security researcher, you probably know how to cover your tracks.


Do you? The skills involved in VR and exploit dev don't necessarily mean you're good at opsec.


True, plus "opsec life sucks" so most of us don't do it.


Where do security researchers sell their investigation on the black market? Links?


The following companies buy 0-days. Each has a slightly different business model:

Zerodium - http://zerodium.com/ Azimuth Security - https://www.azimuthsecurity.com/ NSO Group - https://www.nsogroup.com/ ZDI - https://www.zerodayinitiative.com/ SSD - https://ssd-disclosure.com/


Zerodium is probably the closest thing to a “legitimate” acquirer of exploits, those which aren’t being disclosed to the vendor and then fixed.


any company that builds software for government tracking like NSO Group will happily pay, and have very deep pockets


Yes, but the risk if you’re caught is huge.


not if you're selling them to -your- government. Then you're a patriot but also a rich patriot.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: