Zero-Day Exploit Sales

The cluster discusses monetizing security vulnerabilities by selling zero-day exploits to brokers like Zerodium or black markets, often comparing payouts to bug bounties and debating ethics.

➡️ Stable 0.7x Security

2,393

Comments

Years Active

Top Authors

#5059

Topic ID

Activity Over Time

2008

2009

2010

2011

2012

2013

183

2014

134

2015

143

2016

178

2017

183

2018

140

2019

175

2020

214

2021

238

2022

135

2023

131

2024

173

2025

187

2026

Top Contributors

tptacek (177) dsacco (21) ryanlol (11) MichaelGG (10) saagarjha (10)

Keywords

program.html ID IC tripwire.com VUPEN youtube.com OS CVE NSA zerodium.com exploits exploit sell selling market vulnerability vulnerabilities black market buyers bug

Sample Comments

3pt14159 • Dec 2, 2020 • View on HN

Because you're missing the other half of the exploit market: Selling vulnerabilities for big cheques.https://zerodium.com/program.html

rdl • Mar 30, 2012 • View on HN

You realize you could be monetizing these security vulnerabilities, right?

badrabbit • Aug 24, 2018 • View on HN

Bounties are one thing but how about selling exploits to organizations like zerodium? Since you won't disclose,won't they pay a lot better?

shuringai • Dec 13, 2020 • View on HN

You can sell it to others. Zerodium buys 0days for 10 times or more than the original bounties.https://zerodium.com/program.html

dsacco • Jul 22, 2015 • View on HN

This answer depends on your ethics and the nature of the security vulnerability you've discovered. I'm going to leave out web application vulnerabilities, because the vulnerability half-life, method of discovery and supply/demand on those is entirely different. For those, check out bug bounties. Let's go over your options:1. Responsible Disclosure:Do you have a privilege escalation, sandbox escape, remote code execution, etc. vulnerability in a major browser (Int

underwater • Jun 16, 2012 • View on HN

They making a explicit decision to reap a larger payday by selling the exploits to governments or other companies rather than disclosing it to the original application authors for the standard bug reward.The sellers have no way of determining how the exploits will be used. The mere fact that buyers are willing to spend so much on an exploit indicates they are not just collecting them out of idle curiosity. Even we could completely trust the buyers to not misuse or share information about the

sureglymop • Aug 11, 2025 • View on HN

I mean you just search on google... Zerodium, Crowdfense, Exodus Intelligence, etc.Sure, I'd say the "sell it elsewhere" stuff is always a bit overly optimistic but due to the nature of this specific exploit I am pretty sure you could find a buyer offering good compensation.

dylan604 • Apr 12, 2024 • View on HN

How much would that exploit be worth on the open market?

nullc • Mar 20, 2015 • View on HN

>avoids the urge to go to the black market (or NSA, etc).You can still sell your exploit to the black(site) market and later collect a bounty on it. You take some risk that someone else finds it or the party you sold it to leaks it.Price accordingly.

qazqwert • Sep 10, 2017 • View on HN

nice man...you know that you can basicly sell exploits like that on the darkweb -after they are patched....-no one can steal the money but peaple will buy the exploits......