Don't move the goalposts. I'm not saying there aren't black hats that target Facebook. I'm saying none of them will pay $15000, or even $500, for this or any other Fb bug.
"Don't move the goalposts. I'm not saying there aren't black hats that target Facebook."
Actually, you didn't limited yourself to "black hats that target Facebook", you put "he's right" tag on a pretty broad range of remarks! One of them was about the Facebook's super team of security experts (which I answered to, so I'm not sure what goal post moving you've seen, BTW), and another remark was "he would not even be able to find a seller, let alone one who would pay a lot" which I'm not sure I understand from which angle are you looking at things by concluding that "he's right". Let me elaborate a little bit. That bug had enough potential to power an account hacking service derived cash flow for unspecified number of black hats, as the way anyone in possession of something valuable would first and foremost try to use and only secondly - to sell, you know? In such context his remark doesn't even come to make much sense, so I'm not sure how "he's right" in your view.
I've read again dsacco's post and I see another nonsensical remark: "The total impact of the bug would be negligible." How do you judge the impact of the said bug? Would say, disrupting somewhere the digital social connections between some political figures and their mass of followers so they'd loose contact for a while (exactly when it maters) count as "negligible"? Let's stop talking about pranks around TMZ, let's talk about the most lucrative possible cases here. And all this in itself becomes possible because Facebook is a high value target (another fact dismissed by dsacco, whom you consider to be "right").
Finally, about "none of them will pay $15000, or even $500, for this or any other Fb bug" - if right now, it would so happen for me to be willing to pay for a Facebook account hijacking method those $500 (which BTW is a tempting figure), what value would this conviction of yours still hold?
I would say you were paying $500 for a vanity bug, and not be especially surprised.
What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs.
You might find someone in --- another part of the world, let's say --- who would offer you a couple thousand for that bug. You should know, if you're ever in a position to make that deal, that the person who is buying it from you is willing to kill your whole family to make a point, because that is the reason they are buying the bug from you.
But you aren't going to find that person, any more than you're going to easily find someone to sell a portable antiaircraft missile to.
"I would say you were paying $500 for a vanity bug"
No, it would be just an (admittedly shady) business investment.
"What 'dsacco is saying is essentially factual. The places that buy vulnerabilities don't buy Fb account takeover bugs."
You either didn't read my post or you are deliberately ignoring it. dsacco was wrong on so many aspects and so were you when supported him, as for what you're doing now... I'm not sure what to make of it!
I'm sorry, but I don't see anything in this comment that is responsive to anything I've written or that introduces any new argument for me to respond to.
