Startup 0day's

Business model

Write patches for open source software, with their help introducing bugs there. Then, write exploits for their own bugs and sell them from $ 3,000 for a carcass.

Implementation

Of course, the OSS mainteners are not fools and they will not miss the obvious mistakes in the release. In this regard, it is necessary to clearly plan commits of the battery-bearing patches, so that one bug can spread over a dozen patches, contributing to the same amount of redundancy, in order to ensure that some patches do not fall into the stable version. Plus, in the OSS world, testing technologies for any serious product, be it kernel or firefox, are open, so bypassing the testing system is also not an insurmountable task.

Problems

1. For a programmer writing business applications, the OSS sources and documentation are a typical nightmare incompatible with life (I know from my own experience ...), so the role of the performers will have to be taken by the OSS authors or active members of the community with the experience of picking in defile blockages from 3 years, which in itself can be a problem. I think that not every pacer will agree to spoil the software he cherishes by himself ...
Decision:
On the other hand, it is enough to find one person who understands the architecture of the victim and is solid with you in vile plans, and the unsuspecting coders are officially officially hired in the appropriate forums, they will even be happy that someone is paying them for what they are doing. . :)
2. The high risk that a) your bugs will overlap on others and stop working b) Maintainers will not commit important parts of the “malicious” code. In both cases, the investment is at risk.
Decision:
Something concrete is difficult to advise, it all depends on who will design the bug, how much redundancy it will put in the patches, how it will track the commit process. In any case, it all depends on startups.
')

Money

If we take the average cost of a net 0day RCE for the browser (we will not point with a finger) for 3k $, and the number of copies sold, while the vulnerability remains on the sidelines, can reach twenty-thirty easily calculate the revenue of an average of $ 75,000, of which, according to speculative estimates 5k at max goes to programmers, and with the architect (if it is not you yourself) - as agreed.
In general, the business is similar to highly profitable and not very criminal.

Prerequisites

1. Money. The more - the better, but $ 5k - IMHO for the eyes.
2. Links. It is imperative to know for sure who will buy you in a row, preferably several people to know personally
3. Time. Willingness to risk money by freezing them for the duration of the project, which is again different, depending on the release-cycle of the product.

“Business should be socially responsible!”

It is difficult to overestimate the influence of such groups, if they appear, for the OSS world, because the very possibility of the scenario I described is a time bomb for the very foundations of the collective software development, and save Gates so that it will not work in our age ...