I remember reading recently that the U.S. military had to ground all DJI drones they had in inventory because of suspected hooks in the software and I was thinking it was just malicious backdoors, interesting to see there's a bit more of Hanlon's razor in there too.
It almost seems like you might be better off taking the bugs found to the US military or intelligence agencies to see if you can get bounties from them instead.
Of course, that puts you in a position of interacting with the US government on security research.
There was an interesting article in Wired a few weeks ago about how the Pentagon / DoD is actually taking bug bounties very seriously and it seems to be working for them.
I'm actually fairly sure this happens; there's a big underground market for selling exploits, and I'm sure the NSA and other international intelligence agencies are some of the major buyers.
The bug bounty programs are basically a counteroffer to those.
Aboveground, even - I've seen claims that brokers will allow seller's discretion on where exploits can go. (E.g. "NATO only".) Northrup-Grumman, Raytheon, and Lockheed are commonly listed as zero day buyers. Presumably those channels either get passed on to American intelligence, or used defensively to make a "safer than the competition" claim.
It's certainly fairly overt, though I don't know the legal standing. Whether or not a researcher broke CFAA in finding a bug, is describing it to a third party a criminal act?
CFAA would apply only if the bug involved unauthorized access to the company’s servers (The violation being the researcher accessing them to validate).
The zero days you refer to would instead be vulnerabilities in software which a researcher would test against local software / hardware they own, not only for legal reasons, but also because actively probing a web server can set off alarm bells (Making access less useful after validation).
I can't recall the name of the site off the top of my head, but I know there is at least one site which ostensibly functions as a marketplace for selling security vulnerabilities to government and other "trustworthy" (ow my sides...) organizations. My understanding is that that site actually pays some very competitive prices against the black market. And heck, even if they are not USING the vulnerabilities and simply turning around and disclosing them to the manufacturers while driving up the prices cybercriminals have to pay... that seems like a grand idea to me personally.
Vupen launched Zerodium fairly recently, which is a bug bounty program to do exactly this. Though I think they sell to other government agencies besides just the U.S.
