There's an easy way to put your money where your mouth is here. Just offer $11k for this or similar vulnerabilities out of your own pocket, and then resell them. If there really is a large and active market for this at higher dollar values, you'll make a killing!

Sure is funny there's nobody doing that despite so many people being so dead certain there's an active market.

If I did, would you know?

And if I did, it wouldn’t stop people from doing co-ordinated disclosure either, would it? Same with high end exploits - some folks do co-ord disclosure because it feels good and is great for your CV; others sell gray market and we generally have no idea what’s being traded.

(With the exception of say, zerodium or 0xcharlie’s various talks)

Which of "0xcharlie's various talks" addresses the likelihood of your being able sell a web authz information leak bug on a Google site for bitcoin?

Sure, but do adtech companies buy vulnerabilities in web services to advance their mission? Wouldn't that risk running foul of e.g. the Computer Fraud and Abuse Act?

You don‘t need to sell the vulnerability to them, or even tell them the vulnerability is there. Just set up an API and bill them by the query.

This ignores tptacek's points in the top-level post.

> [...] a bug that Google can kill instantaneously, that has effectively no half-life once discovered, and whose exploitation will generate reliable telemetry from the target.

You can't set up unmask-as-a-service because it's going to take you longer to get clients than it will take Google to shut down your exploit.

Yes, but:

1. It can still take a while before Google finds out

2. You can log every mapping you got in the meanwhile, then keep selling the ones you already have

Edit: although probably most of your business will be over when word gets out that your data isn’t exactly legal (which your clients have understood from the start, of course; they could just plead ignorance)

People keep talking about this as if there's a 0% chance of being caught if you do this?.

So let's suppose that you did set up the service like this. Can you even make 10 K? What are your odds of getting caught? How much do you value not being in prison and/or having to hire a lawyer to get you out of there?

I'd take the 10k every time.

I’d take the 10k, too, but I think it’s possible to pull this off without getting caught.

It’s a lot more work, of course, but you can scrape some top youtubers first as it seems relatively easy. If you can pull this off you can then try and figure out how to legitimize your offering – I won’t go into details here, for obvious reasons, but now that you have something valuable on your hands it makes sense to spend some time/money on selling that.

You’re talking about this as if there aren’t other countries who actively infiltrate power infrastructure and for whom this is the most low risk mild attack (if you can call it that)

I’m not speaking theoretically, which I suspect most on this thread are.

Okay, which state actor is going to buy this for $100,000? How are you going to sell it to them? What's the risk of getting caught?

Even if someone on telegram was telling me that Russia would buy this information for $100,000, I think I would reach out to Google and "settle" for $10k.

I’ve seen a light version of this, where a “marketing data” company was scraping baby shower gift registry pages and selling the data to an infant formula company in the US.

The scraping was def in violation of the EULAs. Product data is one thing, but I believe this group was combining it with other sources and selling the identities and context as a bundle.

An API is too much work. Grab the addresses for the top 100,000 YouTubers and sell that csv on the dark web.

What happens when the first to buy the CSV starts selling it themselves?

That’s not a new problem with selling info on dark web marketplaces. if you're interested in learning more, here are a couple of books you might enjoy:

"The Dark Net” – Jamie Bartlett “We Are Anonymous” – Parmy Olson “Future Crimes” – Marc Goodman “Kingpin” – Kevin Poulsen

I think you've missed my point. I know data brokers exist. Does there exist today a data broker that functions in whole or in significant part buy acquiring vulnerabilities and exploiting them to collect data? He's a more concise way to frame my argument: if you're imagining yourself to be the first person to sell a particular kind of vulnerability to, then your customer is imaginary.

Yeah, I think this is valid. “I’m confident I can find someone who will buy this” vs “I’ll message grugq”, roughly?

My feeling is that if he were still paying attention on HN he'd probably back me up on this stuff (if not, I'd be thrilled for him to come set me straight).