Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.
What's to stop you selling it to both a bug bounty and zerodium. game the system.
The point was, Zerodium have a vested interest in publicly overpricing bugs, so when they sell them to NSA, they can point to there price chart and say "One Meelion Dollars", because of this, when discussing Bug Bounty, vs Black/Grey market, you can't use that price chart as indicative pricing of what a bug is worth.
If every bug Zerodium bought from you, was burnt in the next round of vendor updates... they'd get suspicious .
I would imagine the contract you'd have to sign with zerodium saying they'll send ninjas after you if you do disclose elsewhere.
One way to look at it, not how I see it though. They have a vested interest in making sure the best bugs come to them, and they're banking on being able to resell these bugs within a select pool of 'clients'. Those clients wouldn't be willing to pay if there were better/cheaper ways of getting the bugs. This is just the market responding to demand. There's nothing 'inflated' about it. Someone somewhere is willing to pay, or they wouldn't be offering the cash.
All I can find are press releases from Zerodium, indicating how much they pay, and more articles about team that claimed the iOS9 one. I can't find anywhere with security researches saying "Zerodium paid me X for This" - even historically, after the bugs have gone public.
Unlike, bug bounty platforms, where I can see how much has been paid, to who, by who.
I'm not saying Zerodium don't buy bugs. but nothing I've seen convinced me they pay according to the chart. "Up to 1 Million Dollars"... $1 fits.
If I were selling zero-days for cash to someone that'd on-sell them to bad guys, I'd want to remain anonymous, lest some over zealous police force thought what you were doing was illegal.
If I were selling zero-days for cash to someone that'd get the bugs fixed, I'd want the credit (as well as the cash).
Fair call, but given the ego's that are often involved when it comes to security. It's a red flag for me, that nobody has posted a cheque from Zerodium on twitter.
I can understand the scepticism, but given the attitudes around this, I can definitely understand someone not wanting to wave the flag. There are a lot of security circles you'd become persona non grata in. It's all well and good for me to say I'd happily do it for the pay day, but I don't have a reputation to maintain, and I'm never going to have a bug like this to sell in the first place so it's a meaningless comment.
I think the most likely scenario though is that keeping your mouth shut about your pay day is part of the NDA signed when handing over the bug. Knowledge that a certain security researcher was paid x amount by a zero day reseller might be all the info needed for people to figure out what that bug is, or at least, where the bug is. Researcher X spends 6mths posting on twitter about his work in VMware, suddenly posts a check for a million dollars from zerodium. 1+1 might just equal 2 there...
The other thing too is, there's no reason zerodium couldn't be buying these bugs for a million dollars then selling them to 5 clients for 300k each. The bug itself doesn't need to be worth a million dollars to the NSA, as long as the NSA doesn't want exclusive rights over it. If they do, they pay what zerodium ask. If they just want their exploit and don't care that some other foreign 3 letter agency has it too, they pay less.
FUcking support systems that promise to make your life easier. They demo you a well polished system that someone has spent half their life making half useable, only show you the polished surface of the turd without showing you any of the shit underneath. Charge you fifteen thousand hookers worth of money to "train" you in the system without actually training just showing you "oh this is a sphere if you push it it will roll but squares dont let you do that oh and make sure this arbitrarily named checkbox is ticked or the system doesnt work dont ask" and then post sale giving you the kind of support and service level you could get from a shelf stacker at coles.
What kind of crack anyone smokes to think its a step up to have to wear out a mouses left click button every week because everything is so form based and prefilled forms for standard service routines are out of the question and have to wait 20 seconds just to submit something while the computer struggles to run an overbloated turd of a fat client in 2019.
Change is great. I get that. But change for the worse is not. Chop your leg off and try walking now and then try telling me it's a better way of doing things.
change for the better is great. change for the worse is obviously not, and close behind that I would put change for nothing other than the sake of change.
change is not something to be valued and cherished in isolation, improvement is. if things need to change to enable that, then fine - let's do it. but people get it utterly arse backwards and think that just by changing something, it will be better. if that's the limit of the simplistic thought that went into the process, then it's no surprise when the result is a fuckup.
replace idiots with politicians....
Same same only different.
One is a highly refined subset of the other.
hi-res gif. click with caution
Well that was a nice unexpected week-ish off. Now to deal with insane requests again
2 days On, One Day Off, One Day On, and then another weekend.
at least 1/2 the office is off for these 3 days anyway. So much work will get done.
Yep! My commute was about 70% of normal traffic, there is about 30% of the usual staff, and I'm on seek looking for work.
I've taken the 3 days off, it's a cheap 10 day holiday.
I've got so much leave banked up I was forced to (apparently a month is too much...). I understand the financial angle, but its always hilarious when the Man says you're working too hard
I would much prefer to be working this week and take the time when things are actually busy. I always used the same tactic over Xmas back when I was single. Work easy days over Xmas, then when everybody comes back grumbling about post-holiday blues I'll be like cya, and thanks for leaving me non-holiday prices and no crowding lol.
Not taking leave is an indicator that something dodgy might be going on (and you might get caught if you take leave).