I'm not big into the security game/community, but I really don't understand the logic of "don't divulge how you break out of the sandbox = more exploits get fixed". And I did read the source link and try to understand...
Google just wants the work done for them. If you can make an exploit, you can explain how it works and how to patch it. On the other hand if Google just sees an exploit in action, they have to spend time reverse-engineering it to find out how it breaks the sandbox and come up with a fix, that takes far more time than just to require the working exploit.
$60k looks like a lot less when you don't know going in that you'll even find anything. It's potentially months of speculative work, and you stand a very good chance of coming up empty handed. For not much less, anyone with this skill set can have a guaranteed salary.
There is also the fact that anyone in the industry can make a few phone calls and have a bidding war on this type of exploit that will go well into the 6 figures, possibly as high as 7 according to some. $1M sounds high to me personally, but there is no doubt that it will fetch a few hundred thousand.
Where on earth did you get the idea that there is something illegal about selling exploits? Several companies exist that do exactly this, and they operate in public, above board.
To my knowledge, the US government is the biggest buyer of unpublished exploits. And they pay a lot more than 60k. One well-known US-based company is even run by a former NSA employee, and they're currently advertising a remote pre-authentication exploit in the latest version of MySQL.
Penetration testing is the common answer, though that job description can also be a bit of a euphemism.
It is also worth noting that breaking into the computer of a foreign national that is located overseas is often not a crime in the united states, or is at least considered very difficult to prosecute if it doesn't involve fraud, financial transfers or a few other hot buttons.
Are you familiar with anyone who has ever gone to prison for selling an exploit to a third party? What were they charged with? You may not be interested in the kind of attention you'd get from intelligence or law enforcement, but as far as I know the act itself is legal in most/all jurisdictions.
It's also fairly 'common knowledge' that taking $60k and some hacker fame from Google in a legitimate setting is a VERY legitimate way of setting yourself up for a $100k/month job at Google or any reputable infosec company.
Selling exploits on the black/grey market is and will always be fast money, and a bad idea.
When it comes to vulnerabilities affecting modern day
browsers, there are two main categories: code execution
and post-exploitation bypasses (sandbox escapes).
[...]
Without one of these, the second type of vulnerability is
neutered.
The idea is to encourage researchers to divulge only their more common (and thereby relatively less valuable) code execution exploits, as fixing these exploits alone will (according to ZDI's theory) defuse any threat the sandbox escape exploits pose.
ZDI, though, is insanely biased in this regard. They make their money by selling protection to companies -- fewer bugs, less money for them. Google has a vested interest in making their software more secure, ZDI has a vested interest in keeping their customers coming back for more patches.
From a high level, divulging the details could lead to the hole being patched up. Not having the details requires a much more thorough study being done to find out what happened.
i.e. if someone reports a working exploit for Chrome, but doesn't tell how, Google has no choice but to investigate as deeply as it can and root out any possibility it can think of, and perhaps do automated checks in all of the source where it could possibly happen.
If you instead point out it's a buffer overrun in file x.c, they'll likely just patch up that one file.
