That's not the argument, nobody is shedding tears for child abusers getting popped by the feds. The problem is you can't stop other people from abusing the same vulnerability, so you're putting innocent people in harm's way.
-
-
Replying to @taviso @josephfcox
Same argument could be made for reporting and patching though. Conficker, et al.
1 reply 0 retweets 11 likes -
Replying to @MalwareTechBlog @josephfcox
There is no perfect solution, the best we can do is optimize. I think reporting and patching vulnerabilities has better properties than hoarding them and praying only people you like discover them.
0 replies 8 retweets 48 likes -
I think that might be a false dichotomy
1 reply 1 retweet 1 like -
Replying to @taviso @scriptjunkie1 and
I'm with
@scriptjunkie1 . The false dichotomy is thinking Alice gets to choose between (a) reporting bugs to vendors full time or (b) selling bugs to responsible brokers. (a) doesn't pay a salary. So the choice is between (b) and not looking for bugs at all.2 replies 0 retweets 6 likes -
Replying to @tylerni7 @scriptjunkie1 and
You're just restating the same false dichotomy. Secondly, it's just plain wrong, it's absolutely possible to work in security research without having to sell exploits. There is no moral dilemma here.
1 reply 1 retweet 5 likes -
Replying to @taviso @scriptjunkie1 and
Working in security? Absolutely. But 98% of people in security aren't looking for 0days. Neither for governments nor to report to vendors. And sadly, most security jobs have very little impact making it harder for bad actors to use exploits against highly targeted individuals
2 replies 0 retweets 3 likes -
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you literally refuse to accept any job that isn't spending 100% of your time looking for 0day, the job market is smaller. There are still options, VRP and similar programs. If you want to do this successfully, you need to optimize your work differently.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
So if you're someone who wants to work in vuln research, and you don't get one of the few dozen jobs doing it for a company that reports the bugs immediately, what do you do? Bug bounties are getting better, but they don't pay the same.
3 replies 0 retweets 3 likes
I disagree, you just have to optimize your work differently. Prefer volume over quality, not wasting time improving reliability when you could be finding more bugs, and so on. If it will take you a month to turn a bug into an exploit, calculate if the reward justifies that, etc.
-
-
If it is one month worth of work to complete an exploit, and in one month you can make 20 baseline crash bugs, then maybe it isn't the optimal decision. Take advantage of the more lucrative programs, the chrome fuzzer reward program for example.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
....or sell the bugs to brokers who sell to responsible parties and make more money. 20 crashes in Chrome is $40-$100k. Even without escaping the sandbox working RCE is more than that. If do that volume in 6mo-1year, one is comfortable, one is not
1 reply 0 retweets 1 like - 16 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.