In order to build up a nest egg for a start-up project, French programmer Steve Rigano began selling HP, SAP, and Windows 0day vulnerabilities online for substantial sums of money. The kicker? Rigano was an HP security consultant and on the HP payroll.
The 0day trade is considered by security experts to be something akin to arms dealing. Stockpile enough 0day exploits - exploits that are completely unknown even to the companies they affect and, most importantly, have not been patched - and you have a collection of cyberwar tools unmatched in the industry.
Adam Penenberg at FastCompany interviewed Rigano and his story actually spurred HP to fire Rigano. This just goes to show you that even behemoths don’t know what’s going on in the back offices and that we should all be finding 0days to fund our start-ups.
UPDATE - Rigano writes:
I was never HP employee (but employee in an HP partner company). I never find / discover or sell any HP products bugs, neither HP partner’s bug (as SAP). I have taken legal action action against Fast Company for libelous things.
Moreover I stopped trading vulnerabilities since one year now (so before to work with HP)”
I like how it compares trading 0day to Arms dealing. One thing though. 0day never killed nobody. Or did it? Oh wait.. tons of individuals who made a mistake in life. Chances are even because if their company would pull some money out of their pocket to meet the employee demand of sufficient living this would have never happened. Why destroy a company you love?
Either way it happens. I’m just sickened how they try to punish people to the max for DDOS or hacking in general. The company makes the courts believe its murder and the courts actually believe this crap in most cases. Sure you could have lost those billions or your security of your company been at stake. Question yourself this though: If the hacker was your own son or daughter would you be so quick to tell the court that it was equal to dealing Arms to terrorist?
What’s McLovin doing on a cereal box?