| ▲ | tuhgdetzhh 17 hours ago | |
Could you elaborate on why not? | ||
| ▲ | tptacek 16 hours ago | parent | next [-] | |
What 'arcwhite said (sorry, I got dragged into a call). 1. The exploits (not vulnerabilities; that's mostly not a thing) that command grey/black market value all have half-lives. 2. Those exploits all fit into existing business processes; if you're imagining a new business, one that isn't actively running right now as we speak (such as you'd have to do to fit any XSS in a specific service), you're not selling an exploit; you're planning a heist. 3. The high-dollar grey market services traffic exclusively in RCE (specifically: reliable RCE exploits, overwhelmingly in mainstream clientside platforms, with sharp dropoffs in valuation as you go from e.g. Chrome to the next most popular browser). 4. Most of the money made in high-ticket exploit sales apparently (according to people who actually do this work) comes on the backend, from tranched maintenance fees. | ||
| ▲ | arcwhite 17 hours ago | parent | prev [-] | |
There's generally no grey market for XSS vulns. The people buying operationalized exploits generally want things that they can aim very specifically to achieve an outcome against a particular target, without that target knowing about it, and operationalized XSS vulns seldom have that nature. Your other potential buyers are malware distributors and scammers, who usually want a vuln that has some staying power (e.g. years of exploitability). This one is pretty clearly time-limited once it becomes apparent. | ||