logo

Selling 0-Days to Governments and Offensive Security Companies

Conference:  BlackHat USA 2019

2019-08-07

Summary

The presentation discusses the market for zero-day vulnerabilities and the different communities interested in them. It emphasizes the importance of understanding the market and the need for researchers to open their own companies to sell vulnerabilities and services.
  • The market for zero-day vulnerabilities has grown dramatically in the past five years, with more players from brokers to governments trying to buy vulnerabilities from the open market.
  • Different communities are interested in vulnerabilities, and each one has different needs.
  • The majority of researchers focus on low-hanging fruits, but there are also high-end researchers who find high-end vulnerabilities.
  • Researchers can sell end products, individual vulnerabilities, and components in a chain.
  • It is important to understand the legal process of selling vulnerabilities and to open a company to sell vulnerabilities and services.
  • CTF competitions are a good place to understand how the zero-day market works and to get recruited by companies.
  • The cybersecurity community is helpful and can provide assistance when needed.
The speaker emphasizes the importance of opening a company to sell vulnerabilities and services. This is because the industry is stepping out of the shadow, and it is the only way to work legally. The speaker also offers their services for free to help those who want to sell vulnerabilities or have questions about the industry.

Abstract

Selling 0-days is a fascinating process that not a lot of people are familiar with. This talk will discuss a vulnerability brokerage company called Q-recon and provide a glimpse of how this market works. In the presentation the following questions will be answered from three different angles (researcher/broker/client):Who (researcher profile) is selling 0-days to governments / offensive security companies?What is the process of selling 0-days?How to sell 0-days?At the end of the presentation, I will give a few tips for researchers that want to sell 0-days to offensive security companies/governments.

Materials:

Tags:

Post a comment

Related work