I think (though I can't be sure), what they're trying to say is that it's still legitimate, but it's opaque, because nobody wants to talk about it. Because of that, it seems, to outsiders, like it's an evil black market, even though many people involved in it, believe that they're doing the right thing.

Exactly so.

Sorry, to clarify I was referring to the voice of industry insiders. I mean that no one who knows is willing to speak about it.

There is so much bullshit about the “highly lucrative black market” it is staggering. The market is not big. There is significant risk which gets factored into the payment structure, so the payments are lower than people imagine.

The market is not very liquid. If you have a Chrome capability for sale but your client already has a Chrome capability, they won’t buy it. If their capability dies, then they’ll want yours, but by then yours might be dead as well. Gross oversimplification, but that is generally how things work. The demand is very specific, the supply is very limited, and the product is very fragile (particularly time sensitive.) It is lucrative like making a startup is lucrative. You invest a lot of time and resources and sometimes, with luck, you win big, but the odds are not in your favor for a million dollar payday.

Most articles treat it like some sort of open market drugs bazaar. It is nothing like that at all. It is more like a handcrafted goods faire with a few wealthy customers looking for exactly the thing they need. Only they won’t tell you what they need, they simply want to see what is on display. Lots of window shoppers, as it were.

The product has an unknown shelf life.

The customer cannot tell you what they need, they will only look at what you have and possibly choose something.

For the developer they need to ensure that they provide sufficient information about the capability so the customer can make an informed decision. But they have to avoid revealing sufficient details that it can be reproduced from the ad copy.

Part of what a broker does is actually translating between two parties who don’t speak the same language. The customer needs a tor browser Bundle capability. The developer has written a UAF RCE Firefox that relying on JIT spraying for reliability. Someone has to translate from exploit dev speak into IC language.

For the IC, that TBB capability is a replaceable part in a larger program that enables them to achieve their mission objectives. For the exploit dev, that bug is a labor of love that they spent months working on. They have completely different views on the value of the capability. One side sees it as a component they need for a machine they want to use. The other side sees it as weeks of frustration and pain invested into a unique masterpiece.

They have different expectations, don’t speak the same language, and don’t trust each other. Things have changed a lot from when I was involved. It’s all very fascinating but, as I said, no one who knows about it will discuss it.

I’m being stupid and talking about it, again. But hopefully this will clear up some of the stupid myths about the vulnerability market.

For example all those “wow, a way to read a someone’s private messages on Facebook? That’s got to be worth millions!!” No, it is not. If a legitimate client wants to read someone’s messages on Facebook, they get a warrant. There is no ROI for cyber criminals, and whatever it might be worth to North Korea the risks associated with that sale are not worth it. That bug is worth whatever Facebook says it is worth. Dropping the 0day would make for some news, but mostly it would be negative. So the only rational way for a security researcher to make money from a Facebook bug is through the bug bounty system. (I’m not addressing cyber criminals discovering such a bug, because that is not relevant to the issue of vulnerability sales.)

Based on their recent acquisition, it seems like Azimuth made something of a working de-risked business model relative to the uncertainty of the broker days, no?