Explore the intricacies of selling 0-day vulnerabilities to governments and offensive security companies in this 50-minute Black Hat conference talk. Gain insight into the operations of Q-recon, a vulnerability brokerage company, and learn about the fascinating process of vulnerability trading. Discover the differences between government and corporate clients, various researcher types, and the intricacies of the vulnerability market. Delve into topics such as payment structures, warranty models, terms of sale, market demand, validation processes, and legal considerations. Understand the role of vulnerability brokers, their services, and the benefits of working with them. Conclude with practical advice on getting started in the field, participating in CTFs, and accessing free services for client validation.
Selling 0-Days to Governments and Offensive Security Companies
Overview
Syllabus
Welcome
Introduction
White Hats
Difference between governments and companies
Different types of researchers
How does the chart work
What we learned
What is the process
Payment
Warranty and Sell Model
Terms of Sale
Market Demand
Validation
Backend
Validation Period
Test Environment
Freeze Payments
Property Rights
Support
Governing Law
Contacting Clients
Official Point of Contact
Government
Pros and Cons
Personal Connection
Vulnerability Brokers
Services Map
Benefits of Working with Brokers
Brokers Fees
Summary
Feedbacks
Biggest Take Away
Start Working
CTFs
Get Help
Free Services
Client Validation
Taught by
Black Hat
