Bitcoin Forum
November 01, 2024, 05:08:42 PM *
News: Bitcoin Pumpkin Carving Contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Where can I sell a 0 day?  (Read 2699 times)
bitsofdust (OP)
Newbie
*
Offline Offline

Activity: 21
Merit: 0


View Profile
September 16, 2013, 07:37:50 AM
 #1

I may or may not have discovered a zero day that allows remote code execution. Where can I sell this anonymously?
peonminer
Hero Member
*****
Offline Offline

Activity: 798
Merit: 531


Crypto is King.


View Profile
September 16, 2013, 08:38:15 PM
 #2

Lmao Google anonymous
Subud!
Full Member
***
Offline Offline

Activity: 196
Merit: 100



View Profile
September 17, 2013, 01:50:47 AM
 #3

hackforums?
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
September 17, 2013, 01:55:15 AM
 #4

Freenode seems like the obvious answer.
clock27
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
September 17, 2013, 09:49:29 PM
 #5

awesome dude lol good luck with that

danieldaniel
Hero Member
*****
Offline Offline

Activity: 854
Merit: 1000


View Profile
September 17, 2013, 10:21:01 PM
 #6

Depends on which site it's for.  If it's a site with a bug bounty program, I'd buy it (and report it and make a profit).

malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1724



View Profile
September 17, 2013, 10:43:38 PM
 #7

What software is it and how difficult is it to exploit this vulnerability?

Signature space available for rent.
mistfpga
Member
**
Offline Offline

Activity: 86
Merit: 13


View Profile
September 18, 2013, 02:19:58 AM
 #8

I may or may not have discovered a zero day that allows remote code execution. Where can I sell this anonymously?

I can broker this for you.  I have sold 0 daze to people like iDefense and Tipping point (ms apps mainly) however I have sold linux remote code executions for in excess of $80,000 (to pen test companies) I have numerous links into companies that will be of great help to you.  I can either introduce you or act as a middleman.  I do not mind. generally I sell to three companies, all of whom I know personally.  I am based in the uk.  But these companies are not.

There are some questions that need answering before you can work out who to approach.  - if push comes to shove I would be happy to buy it for bitcoin, then sell it for usd.

Is the exploit
Things that lower the price:
Remote interaction needed (visiiting a website, clicking ok, running a spesific word doc,  or popular app addin)
Service pack or kernel version specific
If windows, it has to be on something big, like any apple app, word, bitcoin, default installed programs, web browsers, kernel exploit.
Is it a post auth exploit?
Does ASLR or DEP get in the way?
32 bit only?

I dont want to get your hopes up, but unless it is unauthenticated, no interaction bug that is for the linux kernel (general branch), windoze kernel and/or win xp- 8 compatible, ie 7,8 and 9. you are probably not looking at much more than 15,000 usd maybe less.

my PGP public key is at pgp.mit.edu id: 0x5016FB50 my email is steve at mist fpga d o t net

I sell more than 10 zero days a year, to independent pentest companies.  Please contact me if you want more advice, contact details and or help with the shellcode (weaponised are the only type pentest companies take)

I am not going to list my clients on a forum (and yes I have sold 1 bug to idefense and 2 to 3com, shoot me, I dont give a shit, if coders can earn millions for being shit at thier jobs, why cant testers sell exploits?)

EDIT: you will have to trust a company somewhere along the line, whilst they checkout the exploit which is why I have my 3 companies. a lot of others (with 'security gurus') screw me like a bitch before.  it is a  jungle out there.
saif313
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
September 18, 2013, 11:49:33 AM
 #9

now you could be most richest person in bitcoins world have a fun  Cheesy

TheSwede75
Full Member
***
Offline Offline

Activity: 224
Merit: 100



View Profile
September 18, 2013, 04:16:47 PM
 #10

Almost no reason to sell 0-days on the black market anymore if you can broker it to security firms. Risk is high and chance of being ripped off is crazy high when selling on black market. Another plus being that 0-day sold to reputable security firms can land you a 6 figure job.
mistfpga
Member
**
Offline Offline

Activity: 86
Merit: 13


View Profile
September 18, 2013, 05:53:38 PM
 #11

Almost no reason to sell 0-days on the black market anymore if you can broker it to security firms. Risk is high and chance of being ripped off is crazy high when selling on black market. Another plus being that 0-day sold to reputable security firms can land you a 6 figure job.

Isnt that exactly what I said anyway a decent remote will land you a six figure one time paycheck... The OP wasnt trying to sell for/to the blackmarket, he is trying to get bitcons for bugs, rather than usd.  so he can remain anon - a lot of background checks are done by pentest companies.  3com and idefense are useless, more than useless and a rip off.  as my experience with another very vocal member of the security community..  there are few pros like 3APA3A around anymore. do not use them. but then I was never a scene kid.... those that can do, those that cant talkabout it.

as a tip, look at using beyond security, they are good people - contact them first with your 0-day. then there is argensis they are also trustworthy lastly try NGS, none of these companies are shady and will pay 6 figures for the right bug.

anyway, seeing as you have so much experience in this (please dont be skylined - and yes I know why you are called skylined, so no bullshitting, you still owe me a pint!!)

good luck.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!