I think it is legal, in part because the US still lacks data privacy and security regulations. In fact, I am quite sure the government allows persons who have worked for intelligence agencies to gain employment in private corporations to develop and exploit 0-days, for use by corporations and the government alike.
I do not believe there are any restrictions on what 0-days can be sold to or bought by the American government. As far as I know the only thing resembling restriction is regarding export to non-allies which stems from the Wassenaar Arrangement. https://en.wikipedia.org/wiki/Wassenaar_Arrangement
And I'm not entirely certain how codified into law such restrictions are on private citizens and companies. There is always article 3 section 3 clause 1 of the constitution where it outlines the crime of treason as "levying war against them, or in adhering to their Enemies, giving them aid and comfort." Though I don't know that selling a security vulnerability to a foreign government would be considered treason or trigger any related laws. I'm unaware of any prosecutions or civil suits against private citizens or companies regarding the trade of 0-days.
There are quite intense requirements to sell to the govt in the general case. It's unlikely anyone can just decide to sell to the federals (what's your duns number?). One of the evergreen complaints against the USG is that contracting is rigged and stacked against SMBs because of the compliance overhead.
In the specific case, it's unlikely to be illegal to sell, however it would generally be illegal for the g-men to buy. With the exception of certain intelligence community members. And even then within say e.g. the Army. The Cyber component likely could buy your zero-day, but Human Resources Command or Recruiting Command absolutely could not.
And even then, say you do sell your sweet, exquisite zero-day rce to the correct part of the CIA: there's a legally mandated Vulnerability Disclosure Process that if your shit is so good it will foreseeably cause the next NotPetya then the vuln will be responsibly disclosed in any event.
6 comments
[ 1.5 ms ] story [ 31.3 ms ] threadAnd I'm not entirely certain how codified into law such restrictions are on private citizens and companies. There is always article 3 section 3 clause 1 of the constitution where it outlines the crime of treason as "levying war against them, or in adhering to their Enemies, giving them aid and comfort." Though I don't know that selling a security vulnerability to a foreign government would be considered treason or trigger any related laws. I'm unaware of any prosecutions or civil suits against private citizens or companies regarding the trade of 0-days.
In the specific case, it's unlikely to be illegal to sell, however it would generally be illegal for the g-men to buy. With the exception of certain intelligence community members. And even then within say e.g. the Army. The Cyber component likely could buy your zero-day, but Human Resources Command or Recruiting Command absolutely could not.
And even then, say you do sell your sweet, exquisite zero-day rce to the correct part of the CIA: there's a legally mandated Vulnerability Disclosure Process that if your shit is so good it will foreseeably cause the next NotPetya then the vuln will be responsibly disclosed in any event.
Edit: if you are interested in top cover for your dalliances, here is an exemplar job listing from LockMart https://www.lockheedmartinjobs.com/job/hanover/reverse-engin...