What is the procedure for selling a zero- day?

Question

I read this question recently What does it mean to “burn a zero-day”?

I then researched on Google and read a few articles, this one "Shopping For Zero-Days" was particularly interesting because there are people that have companies that are in the business of just that.

Hints are given on who buys them, and I actually found Zerodium, Raytheon was mentioned, and of course governments as well.

But what is the procedure behind selling a zero-day? Like with Zerodium it says you have to submit it. But that can be kind of iffy I would think, specially if you are a "little guy" when there is actual companies that are dedicated to that.

I think that Zerodium just act as proxy of a Government or other Institution and the guy that have the zero exploit, as far as I know you need to provide information to Zerodium about the exploit a proof of concept basically. — camp0, Jun 20 '18 at 20:14
I can see that, however it seems like they would just be able to low ball you or say that they already knew about it, or something along those lines. Is almost like you would need someway to "patent" the exploit to protect your self. — 0siris, Jun 21 '18 at 22:24

score 5 · Answer 1 · edited Jun 16 '20 at 09:49

This answer only touches on the process of selling 0days to resellers like Zerodium and is only guesswork.

From the Zerodium FAQ:

What happens after accepting an acquisition offer from ZERODIUM?

After evaluating and approving the research, ZERODIUM will send you the final acquisition offer and the agreement to sign.

By signing the agreement, you will accept to sell your research to ZERODIUM and transfer all related intellectual property rights to us, meaning that the research becomes the exclusive property of ZERODIUM and you are not allowed to re-sell, share, or report the research to any other person or entity.

You can take a look at the submission process of Zerodium in this chart.

The part I marked in italics in the text is the important one. You as a researcher have to make sure that you document your research in advance and may¹ then claim intellectual property for it. That is pretty easy and cheap for instance in the US (costs 35$ I think).

Zerodium is then not allowed to reuse your code, unless you transfer the intellectual property to them. It will however - as you already pointed out - be pretty hard to prove that Zerodium will not do that. That is because Zerodium and their buyers do everything to disguise any business dealings they have. Possibly a contract is signed after Zerodium claims its interest in an exploit and before a researcher sends a pre-offer, but that is only speculation on my side.

In conclusion: A lot of that transaction - as every transaction with a 0day broker anywhere else - will rely on trust. If you don't trust them in the first place² don't sell to them. But: If you have a working exploit, my guess is they won't fool you. Because someone who is capable of developing one working exploit - the product Zerodium is trying to sell - is probably capable of developing more. So from Zerodium's perspective it is economically smart to establish a relationship and therefore trust to this person.

^{1 I'm not 100% sure on this, but I think you still have the Intellectual Property on your creation, even if it is not registered. Quote from the linked PDF: "With
unregistered IP, you automatically have legal rights over your creation. Unregistered forms of IP include copyright, unregistered design rights, common law trade marks and database rights protection for confidential information and trade secrets"}

^{2 IMHO: you shouldn't, just for ethical reasons}

You may want to point out that Zerodium lies about their prices and does not actually give out the full price they claim (which would be silly, as it's often orders of magnitude higher than even the most wealthy buyer would pay). After all, a KASLR bypass is never going to go for more than an actual Firefox RCE... — forest, Jan 19 '19 at 04:52

What is the procedure for selling a zero- day?

1 Answers1