Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
kelnos 5 hours ago

I'm pretty sure they have a legal obligation in most jurisdictions not to sell 0days for profit.

And they absolutely have a moral obligation to do things in a way to minimize damage and impact to other people's systems. (I'm not saying "responsible disclosure" is the correct way to do that, but hoarding vulnerabilities and exploits and selling them to the highest bidder certainly isn't.)

This is how society needs to work.

tptacek an hour ago | parent | next [-]

It is categorically false that there's a legal obligation not to sell vulnerabilities. There's an obligation not to knowingly sell them directly to ongoing criminal enterprises. That's it. Plenty of people make fuckloads of money selling vulnerabilities for exploitation rather than repair.

lrvick 4 hours ago | parent | prev | next [-]

Let me make you aware of zerodium. A broker anyone can sell vulns to, that sells to unspecified buyers you do not need to know about.

selectively 2 hours ago | parent [-]

(The buyers are the NSA, the IDF, Cellebrite, NSO and its successor corporation and that kind of thing. Depends on what you are offering)

You'll learn who the buyers are if you routinely have the really good stuff to sell! If you are offering iOS zero click on a semi-regular basis, the buyer is going to want to try to deal with you directly and preferably offer you a more regular form of employment, if you are interested. Some national governments may offer certain benefits to you, depending on your situation.

All depends on what you have to offer. If you were able to offer this https://arstechnica.com/security/2025/09/microsofts-entra-id... or something of that magnitude, a lot of problems in your life would just go away. The buyers would all be Five Eyes and the intelligence gain of having that kind of access even briefly is priceless.

In a more Western-centric context, imagine if you had a flaw like that, same 'no logs are generated' and 'every single customer account is accessible' but the impacted vendor was Alibaba Cloud. The researcher would get to name their price. That's the real world, that's the world we share. We shouldn't be blind to that.

mschuster91 5 hours ago | parent | prev [-]

> I'm pretty sure they have a legal obligation in most jurisdictions not to sell 0days for profit.

it wasn't sold for profit, it was openly disclosed.

> And they absolutely have a moral obligation to do things in a way to minimize damage and impact to other people's systems.

All that "responsible disclosure" does is keep people from demanding better.