According to free market economics, this is exactly what should happen. Security researches sell their exploits on the dark web until bug bounties rise to the same or higher prices as the dark web will pay.
It's crazy that they can find a bug that would cost Instagram 1M+, yet payouts are in the thousands or maybe tens of thousands if you're super lucky.
I'm curious if it's illegal to sell exploits. Using them is obviously illegal, but is the transfer of knowledge for money illegal? I.e. I'm not allowed to build an M16, but presumably I could by the schematics for one if I wanted (I've never tried, but I can't imagine possession of them is illegal since they make posters of it and what not).
That seems to depend on some very specific and unusual definition of "free market economics." Usually there is some unspecified assumption of rights (particularly property rights), and actions which violate those rights are not considered to be "free market" interactions. As an obvious example, if you creep around neighborhoods looking for people with valuable property that isn't well-secured against theft, then offer to sell a homeowner the information about the security problems you've discovered, and then sell that information to professional thieves if the homeowner declines, I don't think that would be "exactly what should happen according to free market economics."
I honestly think this is what free market economics will get us, due to the high barriers to selling on the black market (ethically, legally, and logistically). The bug bounty targets with high payouts from the company line up roughly with the ones with high payouts on Zerodium etc.
As I stated elsewhere in the thread, I'm not honestly convinced the fallout from a company being breached is that high, which leads to the current pricing for bug bounties. Twitter stock is massively up from when their incident happened in July. We'll see what happens with SolarWinds.
> I'm not honestly convinced the fallout from a company being breached is that high
The market clearly doesn't care, and so neither do executives. What needs to happen is a household company gets exploited/hacked/pwned/whatever so hard that their entire business collapses, maybe not entirely but significantly. Then the market will price these breaches very differently.
Zerodium is one of several companies that buys exploits and sells them to governments. This route supposedly pays more than public bug bounties, but with different secrecy etc requirements.
It's crazy that they can find a bug that would cost Instagram 1M+, yet payouts are in the thousands or maybe tens of thousands if you're super lucky.
I'm curious if it's illegal to sell exploits. Using them is obviously illegal, but is the transfer of knowledge for money illegal? I.e. I'm not allowed to build an M16, but presumably I could by the schematics for one if I wanted (I've never tried, but I can't imagine possession of them is illegal since they make posters of it and what not).