The article says that this practice is legal. If the sale is made, and then the client uses it to do something illegal, is the hacker / Grugq free of liability?
I would guess yes. The sale of firearms is legal, but if a buyer then goes and kills someone with the gun, the seller of the gun is not liable. Not an exact comparison but for legal comparisons I believe it's apt.
On the other hand, selling firearms to people without doing a background check or when you know they're mentally ill or any such thing can be illegal (in some places, at least; I of course can't be familiar with legislation everywhere). I expect similar legislation may be introduced in the 'exploit market'.
Jailbreaking, test cases for hardening your own systems (c.f. Metasploit), opening appliances/devices to other analysis.
Three very common cases. Would quarter million dollar exploits be used for these? Probably not, but it doesn't change the fact that there are legit reasons to buy, sell, and use zero-day vulnerabilities.
The prices that go on in these markets make any of those reasons fall pretty blatantly on their face. Just like someone wanting to buy 100 AK-47s is also certainly not going to use them to just take to the range.
Cydia (the gray market app store) generates over a million dollars a year in revenue. The operation of this store, and thus its revenue stream, is entirely dependent on jailbroken iOS devices. Thus, there is a business entity with a existential interest in iOS exploits that are easily available to the iOS using community (i.e. the public). Would Cydia pay a quarter million dollars for an exploit to ensure that their customer base continues to exist? (Disclaimer: I'm not affiliated with Cydia in anyway, that revenue figure is from an ex-Apple employee discussing an informal estimate.)
Noble? Not necessarily. Perfectly legal? The article talks about government linked buyers. If the behavior associated with using the exploit is technically illegal why would that ever stop a large government from using and deploying it?
Hacker sells to a broker in South Africa. AFAIK, SA is not black listed or anything, and who knows who the broker sells too or who the broker says he sells to. I don't see how the hacker is any more liable than a petrol sales assistant selling fuel to a drug courier.
Depends what country they are in and if that country actually enforces their own law. Thailand or one of its neighbors is probably a good place to live until any legal uncertainties are sorted out.
It's important to consider that Grugq is selective about his buyers. He won't broker a deal with Syria. As long as he sells to friends of the World Police, prosecution is not really a risk.
