How To Go Broke Selling Zero-Day Exploits

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

Missing component: trust in the seller

Right now there's no way to have much confidence that you're actually getting what you're paying for. If the exploit doesn't work, what recourse do you have? This is a pretty common element in any underworld economy, but is exacerbated by the Internet's anonymity and the newness/smallness of this particular market.

The bad news is, other underworld markets eventually overcame this problem.

Re:(shrug) My computer is disposable.

[SomeJoel]

In the unlikely event I get a computer-killing virus, trojan, or exploit (hasn't happened since 1985), I figure I'll just trash the thing and buy another one for $300-400. Computers have become disposable just like other appliances.

It's not the computer that has value, it's your data.