Check the relevant laws and regulations for your country (the state section on the Wassenaar website should link to them, or at least name them to look them up). You can probably still sell exploits as long as you get an export license for them.
As I understand it, VUPEN was buying exploits before the exploit section was added to the Wassenaar agreement. They attempted to dodge the agreement by moving the company from France to Singapore (which is not a Wassenaar signatory), but then Singapore still added the exploit section to their laws [0]. VUPEN shut down before that law change anyway, due to bad press from the Hacking Team leaks.
Vupen turned into Zerodium. How would this law be enforced if (hypothetically) I took an encrypted pen drive to Zorodium's office, they like what I demo and pay me, they then resell.
Who is tracking / investigating what just happened? How would they even know?
>Who is tracking / investigating what just happened? How would they even know?
For you selling to Zerodium, it would be the government agency in your country in charge of managing export controls. Unless you are bragging about it on social media, it is unlikely that they would know about you selling the exploit. As long as Zerodium doesn't tell your country about you selling the exploit, it will be very difficult for your country to find out (unless they investigate where you are getting tens of thousands of dollars from).
For Zerodium reselling, it primarily falls under the US Department of Commerce’s Bureau of Industry and Security (BIS). If they are selling to somebody nasty the Department of State's Bureau of International Security and Nonproliferation could be involved, along with Homeland Security. Since Zerodium is very public about buying and selling exploits, they are certainly on the radar of these agencies. If they don't see Zerodium applying for export licenses, they will investigate.
>Would getting an export license even be possible?
Contact your local government. It might be difficult to do so as an individual, so you could need to form a small company.
I'm not sure why they would grant an export license, that completely defeats the point of the law. Me making a million bucks can't possibly be good justification to allow my transaction to be exempt?
I think this law changes everything when it comes to trading exploits.
>I'm not sure why they would grant an export license, that completely defeats the point of the law. Me making a million bucks can't possibly be good justification to allow my transaction to be exempt?
What would they get in taxes from that million bucks? Export controlled things still get sold all the time, look at any country with a weapons industry. The goal of licensing is to control who they get sold to, not to stop them from being sold.
As I understand it, VUPEN was buying exploits before the exploit section was added to the Wassenaar agreement. They attempted to dodge the agreement by moving the company from France to Singapore (which is not a Wassenaar signatory), but then Singapore still added the exploit section to their laws [0]. VUPEN shut down before that law change anyway, due to bad press from the Hacking Team leaks.
[0] https://twitter.com/cbekrar/status/704664859372158976