Right, with something that powerful I would just sell the 0-day to highest bidder. Or even use it to commit some fraud. Taking over any @gmail account is a pretty powerful exploit that could lead to a lot of monetary compensation if used correctly. Scary Google only see's that is being worth 75k (way less than one year engineering salary)
What is the legality of selling an exploit? Are you free and clear, or can you be tagged with enabling a future crime? Would they need to be able to trace a specific incident back to your exploit or get you on a catch-all law?
Bugs are found all the time. Sharing a bug you found is not a crime, but I imagine they can always get you on tax fraud.
There are quite a few "legit" exploit resellers who will gladly pay millions for exploits and report the income to the IRS. They seem to do fine legally so long as their primary customers are govt or quasi-govt agencies. Now, if you decided to sell to an embargoed country I'm sure they'd suddenly declare the exploits munitions and try to lock you up for a long time.
There's no specific law against selling exploits. The problem is the subsequent crime - and if someone wants to pay you a lot of money for a 0-day in Google, it's hard to come up with an explanation other than that they're about to commit a crime.
So, if you knew or should have known, then feigning ignorance won't save you and you won't ba having a good time.
You're both missing the point. Consider this: you're a big tech engineer, would you risk your career and many years in jail for 75k? Of course not. How about 5 million? Maybe you would... Big tech already has a massive problem with insider threats, they don't need to offer some of the most clever programmers in the world(their employees) a massive incentive to screw them over.
The point you are missing is that many of us do not have big tech careers. I am very fortunate to have a big tech career, but before I was hit by a stroke of luck, I was doing gig work paycheck to paycheck barely making ends meet. When you can’t see more than two weeks ahead in time, which you cannot do living paycheck to paycheck, you don’t think about the long term consequences because you are not capable of it. The incentive structure is too strong to sell zero days to any external party for those who have nothing to do all day but try to find exploits.
I think GP is suggesting an insider could introduce a bug, have a confederate "find" it, and split the money. At $5m I think more than a few big tech employees might decide to write themselves a new minivan.
I think you'd have a tough time deliberately putting something like that in at a large company. The cost of failure is losing a very good job.
If you discovered a vulnerability and sat on it for a future payout that would be more likely, yet still risky.
Though it does come down to choosing to do crimes in the face of incentives and disincentives. Nothing unique here - humans break the rules all the time.
It's trivial for a motivated engineer to deliberately introduce bugs, most couldn't avoid it if they tried. It wouldn't be too hard to pass it off as an honest mistake either. You might not even lose your job, as a lot of places have a "blameless culture".
Not actually, I am not a law breaker;)