Hacker News new | past | comments | ask | show | jobs | submit login

I'm curious how selling a multi-million dollar 0-day to a shady company actually works in practice. Like how does the seller demonstrate that their exploit works and isn't already in ShadyCo's catalog without giving up how it works (at which point ShadyCo could just not pay them and recreate it).



The same way everything works: trust


Apparently an escrow arrangement is used by some of these companies. You disclose vague details in exchange for an offer, and once you agree, they escrow the money and then you release the artifacts.


And the related concept, reputation. If NSO had a reputation for screwing 0-day finders, their supply would dry up


Surely NSO doesn't say "hand over your exploit and if we don't already have it we'll give you millions - you can trust us".

And I would argue most trade is not based on trust, except for maybe trust in the legal system and repercussions if someone tries to screw you over.


Not sure about NSO specifically, but this actually is how it works. If they screw someone over others won't sell their 0days. Except they don't pay the $2MM up front, they pay out based on a pre-agreed upon lifespan of the exploit.

First you provide a description of the exploit, then you get an estimate, then you have provide the exploit for vetting and the payout has multiple cliffs similar to equity vesting in a company.

This way you can't sell them a an exploit for $2MM and go play robinhood by reporting it to the vendor once the check clears.


Thank you, this is the kind of insight I was looking for.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: