Not all researchers are comfortable with the ethics of selling the zero-day vulnerabilities they've discovered to governments and offensive security companies. But those who do seek profit beyond that of a traditional bug bounty reward will require a fair share of business savvy to seal the deal, according to former vulnerability broker Maor Shwartz, in a Black Hat presentation yesterday that offered a unique inside glimpse into the zero-day economy.
Shwartz's vulnerability brokerage firm, Q-recon, closed down last year, yet he still offers free business guidance to researchers. In that spirit, Shwartz offered conference attendees a series of tips on how to properly close a transaction while avoiding damaging one's reputation when selling a zero-day.
Many of his key recommendations revolved around maintaining a trustful relationship with buyers. For example, researchers who discover a quality vulnerability should be honest if the corresponding exploit they developed needs improvement. "If you have this beautiful vulnerability, but the exploit is the problem, please tell them [the buyer] because it will literally save the deal," said Swartz. "Once they understand that, they will be willing to pay you the full amount or reduce a little bit. Just because the exploit isn't good enough doesn't mean the vulnerability" isn't good enough, he continued.
Other tips included:
- A non-exclusive selling strategy, whereby multiple buyers are pitched, can get complicated, so limit the potential transaction to a few trusted clients.
- The price of zero-days are subject to the laws of supply and demand. Vulnerabilities and exploits will potentially lose value if the market is saturated with bugs and exploits that have similar capabilities. For that reason, being unique holds a strong financial advantage.
- Consider opening an official company if you intend to regularly sell.