Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached.

▲

Aachen 2 hours ago | parent | next [-]

Not sure what risk but for me it would be morals

I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that

▲

jijijijij 18 hours ago | parent | prev | next [-]

That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least.

	▲	Aachen an hour ago \| parent [-]
		That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well

▲

tptacek 19 hours ago | parent | prev [-]

What "grey market" are you talking about? How specific can you be about it?

▲

jfindper 19 hours ago | parent [-]

I know you love asking people this question, so sorry to spoil your fun, but you know just as well as I do that there isn't really a "grey market".

	▲	tptacek 19 hours ago \| parent [-]
		There absolutely is. I'm just not familiar with one that buys these vulnerabilities.