Vulnerability Values Fluctuate Between White, Grey and Black Hats

A black hat selling vulnerabilities can make as much money as a white hat researcher using bug bounty programs, or a grey hat working for a nation state doing reverse engineering. 

Speaking at a Tenable conference in London last week, director of research Oliver Rochford said that to have people do vulnerability research is expensive, and all of the white, black and grey markets are symbiotic, as despite the difference between being legal and illegal, the different factors “mirror each other as it starts with vulnerability discovery.”

Rochford said that this “shows how professional cybercrime has become,” pointing to the fact that the main difference between criminal and legal sides are ethics. In one slide, Rochford pointed out vulnerability discovery, exploit research and development are the same for both offense and defensive sides, while the differences fall at the "operationalization" side, where offensive sides look at espionage, sabotage and fraud, while defense sides look at threat intelligence and compensating control adaptation.

In his research, Rochford showed that in some cases you can earn more as a white hat vulnerability manager than as a black hat, with a black hat able to earn around $75,000 in this sort of work. Rochford said this “is achievable and attractive” and while it was more lucrative to do it legally, if it is not “it is a way to make a living.”

Looking at the value of exploits, Rochford said that you can earn around a million dollars for an Apache or Linux vulnerability on the dark market, while an exploit broker (grey market) will pay around $500,000. WhatsApp vulnerabilities on Android can earn a million dollars on the black and gr ..

Support the originator by clicking the read the rest link below.