Where can I sell a 0 day?

Pages: << < (2/3) > >>

danieldaniel:

Depends on which site it's for.  If it's a site with a bug bounty program, I'd buy it (and report it and make a profit).

malevolent:

What software is it and how difficult is it to exploit this vulnerability?

mistfpga:

Quote from: bitsofdust on September 16, 2013, 07:37:50 AM
--
I may or may not have discovered a zero day that allows remote code execution. Where can I sell this anonymously?

--

I can broker this for you.  I have sold 0 daze to people like iDefense and Tipping point (ms apps mainly) however I have sold linux remote code executions for in excess of $80,000 (to pen test companies) I have numerous links into companies that will be of great help to you.  I can either introduce you or act as a middleman.  I do not mind. generally I sell to three companies, all of whom I know personally.  I am based in the uk.  But these companies are not.

There are some questions that need answering before you can work out who to approach.  - if push comes to shove I would be happy to buy it for bitcoin, then sell it for usd.

Is the exploit
Things that lower the price:
Remote interaction needed (visiiting a website, clicking ok, running a spesific word doc,  or popular app addin)
Service pack or kernel version specific
If windows, it has to be on something big, like any apple app, word, bitcoin, default installed programs, web browsers, kernel exploit.
Is it a post auth exploit?
Does ASLR or DEP get in the way?
32 bit only?

I dont want to get your hopes up, but unless it is unauthenticated, no interaction bug that is for the linux kernel (general branch), windoze kernel and/or win xp- 8 compatible, ie 7,8 and 9. you are probably not looking at much more than 15,000 usd maybe less.

my PGP public key is at pgp.mit.edu id: 0x5016FB50 my email is steve at mist fpga d o t net

I sell more than 10 zero days a year, to independent pentest companies.  Please contact me if you want more advice, contact details and or help with the shellcode (weaponised are the only type pentest companies take)

I am not going to list my clients on a forum (and yes I have sold 1 bug to idefense and 2 to 3com, shoot me, I dont give a shit, if coders can earn millions for being shit at thier jobs, why cant testers sell exploits?)

EDIT: you will have to trust a company somewhere along the line, whilst they checkout the exploit which is why I have my 3 companies. a lot of others (with 'security gurus') screw me like a bitch before.  it is a  jungle out there.

saif313:

now you could be most richest person in bitcoins world have a fun  :D

TheSwede75:

Almost no reason to sell 0-days on the black market anymore if you can broker it to security firms. Risk is high and chance of being ripped off is crazy high when selling on black market. Another plus being that 0-day sold to reputable security firms can land you a 6 figure job.

Pages: << < (2/3) > >>