Vulnerability Management

Selling zero-days to governments takes some business savvy, says former bug broker

Not all researchers are comfortable with the ethics of selling the zero-day vulnerabilities they've discovered to governments and offensive security companies. But those who do seek profit beyond that of a traditional bug bounty reward will require a fair share of business savvy to seal the deal, according to former vulnerability broker Maor Shwartz, in a Black Hat presentation yesterday that offered a unique inside glimpse into the zero-day economy.

Shwartz's vulnerability brokerage firm, Q-recon, closed down last year, yet he still offers free business guidance to researchers. In that spirit, Shwartz offered conference attendees a series of tips on how to properly close a transaction while avoiding damaging one's reputation when selling a zero-day.

Many of his key recommendations revolved around maintaining a trustful relationship with buyers. For example, researchers who discover a quality vulnerability should be honest if the corresponding exploit they developed needs improvement. "If you have this beautiful vulnerability, but the exploit is the problem, please tell them [the buyer] because it will literally save the deal," said Swartz. "Once they understand that, they will be willing to pay you the full amount or reduce a little bit. Just because the exploit isn't good enough doesn't mean the vulnerability" isn't good enough, he continued.

Other tips included:

  • A non-exclusive selling strategy, whereby multiple buyers are pitched, can get complicated, so limit the potential transaction to a few trusted clients.
  • The price of zero-days are subject to the laws of supply and demand. Vulnerabilities and exploits will potentially lose value if the market is saturated with bugs and exploits that have similar capabilities. For that reason, being unique holds a strong financial advantage.
  • Consider opening an official company if you intend to regularly sell.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.