> They making a explicit decision to reap a larger payday by selling the exploits to governments or other companies rather than disclosing it to the original application authors for the standard bug reward.
I don't know you but I get the impression that you've never gone through the bug reporting process from a bug hunter's perspective. Some places do offer bug bounties, and of course you have the usual ZDI, pwn2own etc. that you can go through, but from my own personal experience I've been ignored, threatened with legal action and dragged into a quagmire of free IT support because the manager handling the bug won't let me speak to a developer and doesn't understand the bug amongst other things.
On the other hand, finding a bug isn't hard, but developing a reliable weaponised exploit that works repeatably against multiple targets can be a heck of a lot more work.
My own personal view when it comes to disclosure is 'finders keepers'. It's my bug, I found it. It's not worth my time weaponising it to sell on the black market and it's too high risk for me personally to be associated as being active in it, it's only worth weaponising to the point where I can use it in future on pentests and help customers implement workarounds.
> The sellers are willing to inflict damage on everyone else so they can benefit. That sounds like leeching to me.
s/sellers/vendors/ ... lets not forget who created the bugs in the first place, then failed to find and removed them, and finally shipped a dangerously malfunctioning product! (Alien Invaders from Mars -- http://www.antipope.org/charlie/blog-static/2010/12/invaders...)
I don't know you but I get the impression that you've never gone through the bug reporting process from a bug hunter's perspective. Some places do offer bug bounties, and of course you have the usual ZDI, pwn2own etc. that you can go through, but from my own personal experience I've been ignored, threatened with legal action and dragged into a quagmire of free IT support because the manager handling the bug won't let me speak to a developer and doesn't understand the bug amongst other things.
On the other hand, finding a bug isn't hard, but developing a reliable weaponised exploit that works repeatably against multiple targets can be a heck of a lot more work.
My own personal view when it comes to disclosure is 'finders keepers'. It's my bug, I found it. It's not worth my time weaponising it to sell on the black market and it's too high risk for me personally to be associated as being active in it, it's only worth weaponising to the point where I can use it in future on pentests and help customers implement workarounds.
> The sellers are willing to inflict damage on everyone else so they can benefit. That sounds like leeching to me.
s/sellers/buyers/