I don't believe those numbers will ever come close to converging, let alone bounty prices surpassing black market prices.
It seems like these vulnerabilities will always be more valuable to people who can guarantee that their use will generate a return than to people who will use them to prevent a theoretical loss.
Beyond that, selling zero-days is a seller's market where sellers can set prices and court many buyers, but bug bounties are a buyer's market where there is only one buyer and pricing is opaque and dictated by the buyer.
So why would anyone ever take a bounty instead of selling on the black market? Risk! You might get arrested or scammed selling an exploit on the black market, black market buyers know that, so they price it in to offers.
Even though I agree with the conclusion with respect to pricing, I don't think this comment is generally accurate.
Most* valuable exploits can be sold on the gray market - not via some bootleg forum with cryptocurrency scammers or in a shadowy back alley for a briefcase full of cash, but for a simple, taxed, legal consulting fee to a forensics or spyware vendor or a government agency in a vendor shaped trenchcoat, just like any other software consulting income.
The risk isn't arrest or scam, it's investment and time-value risk. Getting a bug bounty only requires (generally) that a bug can pass for real; get a crash dump with your magic value in a good looking place, submit, and you're done.
Selling an exploit chain on the gray market generally requires that the exploit chain be reliable, useful, and difficult to detect. This is orders of magnitude more difficult and is extremely high-risk work not because of some "shady" reason, but because there's a nonzero chance that the bug doesn't actually become useful or the vendor patches it before payout.
The things you see people make $500k for on the gray market and the things you see people make $20k for in a bounty program are completely different deliverables even if the root cause / CVE turns out to be the same.
*: For some definition of most, obviously there is an extant "true" crappy cryptocurrency forum black market for exploits but it's not very lucrative or high-skill compared to the "gray market;" these places are a dumping ground for exploits which are useful only for crime and/or for people who have difficulty doing even mildly legitimate business (widely sanctioned, off the grid due to personal history, etc etc.)
I see that someone linked an old tptacek comment about this topic which per the usual explains things more eloquently, so I'll link it again here too: https://news.ycombinator.com/item?id=43025038
That is why I said "also", it should not be the only factor.
The conversation was moving between two possibilities only: either collect bug bounties or sell on the black market. I believe most (again: most, not all) security researchers collecting bug bounties right now would not start selling on the black market in case bounties disappeared. They would change their focus to something else to sustain themselves
The market is priced at the point that the most economic for the business. Apple buying an exploit for $100m is not worth it (to apple) vs the potential loss of life of people who might be killed if sold on the black market. Buying an exploit for 1m prevents them being used to jailbreak, is good PR, and is ass covering PR insurance in case an Apple exploit cause loss of life (‘the seller could have sold to us, but instead they sold it to an evil corporation’).
I've seen these advertisements too, also only when my phone had been playing unattended for some time.
I have a (unsupported, unsubstantiated) theory that YT detects phones of "sleepers" and pushes more profitable content with the understanding it won't be skipped.
I've got a few spare phones, maybe I'll run an experiment.
With YT, it might be an account-specific metric. Ie: flagged as a frequent sleeper. This would not surprise me, since they track just about every other metric possible against your account.
You can have multiple YT accounts on a single gmail acct, but I don't think that'll fool them. They know where you initially logged in from. So you will likely need multiple gmail accounts to do this kind of experiment.
I'm not sure why it would specifically be targeting "sleepers"... there are a lot of reasons why someone might not skip ads... people who are sleeping are probably the least valuable of them.
It could just as well be something super valuable -- like an unattended kiosk device playing youtube to a crowd of people.
Regarding the kiosk, I wholly expect that an unattended device with YT on auto play will ratchet up the length/frequency of ads as long as they're never skipped.
Someone who falls asleep watching YouTube will skip ads, unless they're asleep.
The idea is that if YT can infer that someone is asleep (location, no movement, no sound, low light, night) that they can show the longest, most skip-inducing ads that they've got since they know they won't be skipped.
The difference between the kiosk and the sleeper is that if the sleeper gets a 20 minute ad at 2pm while they're eating lunch, they'll skip it. YT is incentivized to show the most profitable ad that someone won't skip.
The value in identifying sleepers isnt showing a long ad, it's showing a long ad with the certainty that it won't be skipped.
Sure, but why would I, as an entity buying advertising space, pay the same amount when YouTube is just going to try to show them to people who are asleep, that can't see the ads, and thus would have no effect anyway?
I don't think they specifically target people who tend to go to sleep. But, having worked in the ad engineering, I can imagine they do know how often specific users skip ads and target ads based on that property.
Small phones (to an extent) are less expensive than larger phones to manufacture.
The thought that "Small phones are only more popular because they're less expensive" seems to willfully ignore that the phones are less expensive because their inputs are less expensive, because they're smaller.
I wonder about the idea that they're less expensive. True in terms of materials, but possibly not true if the smaller production run means you can't offset the capital costs of manufacturing the parts.
That's fair. I suspect that as phones get more "premium" the margin from a small phone shrinks faster than a larger phone.
HTC has been making cheap (very cheap) and small phones for the discount market. Foldables exist in the premium space, but the price tags appear to bake in a higher margin for a device that won't sell the same volume.
Assuming these people don't understand that their ideas are unworkable is a mistake. Don't believe for a second they are stupid or ignorant.
The difference between a criminal and a law-abiding citizen isn't that the citizen knows that crimes are wrong, it's that the citizen cares that crimes are wrong and the criminal doesn't.
Now that you mention it, that's probably why they sent this letter. They know it's pointless but they want a paper trail to show they tried to find other solutions before requesting a block.
yeah but it's 4chan, they won't, the biggest consequence is they get blocked in the UK. And the kind of people that go there will be more than savvy enough tto use a VPN
It seems like these vulnerabilities will always be more valuable to people who can guarantee that their use will generate a return than to people who will use them to prevent a theoretical loss.
Beyond that, selling zero-days is a seller's market where sellers can set prices and court many buyers, but bug bounties are a buyer's market where there is only one buyer and pricing is opaque and dictated by the buyer.
So why would anyone ever take a bounty instead of selling on the black market? Risk! You might get arrested or scammed selling an exploit on the black market, black market buyers know that, so they price it in to offers.