How many of these "expensive" bugs are directly due to memory safety? From a quick glance it looks like this entire market is held up purely on that quirk of C/C++. Of course this is nothing compared to the money being poured into compiler and runtime tricks to try to undo those quirks. Which is probably little compared to the amount of money via time lost developing and debugging such an environment.
Overall these prices seem low compared to the capability. Is that because it's easy enough for governments and big corps to just hire teams and dev in house? These prices are well within SMB price range if an unethical company wanted to attack a competitor (though there's probably cheaper ways in). That, plus given that the price to compromise even federal agents (going off known cases where FBI and CIA agents were turned)... my doubt increases that companies can actually keep secrets. I think of this when folks like Nikon refuse to document camera formats under the claim that it's a trade secret they are hiding from competitors.
It is curious though how little these go for, overall. Perhaps because they aren't overly directly profitable (exploitable for cash)? I wonder if there's more money in exploiting server software that you can use almost directly for profit? Perhaps not; it could be easier for the criminals with the infrastructure in place to find and exploit directly as part of operations.
How many of these "expensive" bugs are directly due to memory safety? From a quick glance it looks like this entire market is held up purely on that quirk of C/C++. Of course this is nothing compared to the money being poured into compiler and runtime tricks to try to undo those quirks. Which is probably little compared to the amount of money via time lost developing and debugging such an environment.
Overall these prices seem low compared to the capability. Is that because it's easy enough for governments and big corps to just hire teams and dev in house? These prices are well within SMB price range if an unethical company wanted to attack a competitor (though there's probably cheaper ways in). That, plus given that the price to compromise even federal agents (going off known cases where FBI and CIA agents were turned)... my doubt increases that companies can actually keep secrets. I think of this when folks like Nikon refuse to document camera formats under the claim that it's a trade secret they are hiding from competitors.
It is curious though how little these go for, overall. Perhaps because they aren't overly directly profitable (exploitable for cash)? I wonder if there's more money in exploiting server software that you can use almost directly for profit? Perhaps not; it could be easier for the criminals with the infrastructure in place to find and exploit directly as part of operations.