I think that might be a false dichotomy 
-
-
Replying to @taviso @scriptjunkie1 and
I'm with
@scriptjunkie1 . The false dichotomy is thinking Alice gets to choose between (a) reporting bugs to vendors full time or (b) selling bugs to responsible brokers. (a) doesn't pay a salary. So the choice is between (b) and not looking for bugs at all.2 replies 0 retweets 6 likes -
Replying to @tylerni7 @scriptjunkie1 and
You're just restating the same false dichotomy. Secondly, it's just plain wrong, it's absolutely possible to work in security research without having to sell exploits. There is no moral dilemma here.
1 reply 1 retweet 5 likes -
Replying to @taviso @scriptjunkie1 and
Working in security? Absolutely. But 98% of people in security aren't looking for 0days. Neither for governments nor to report to vendors. And sadly, most security jobs have very little impact making it harder for bad actors to use exploits against highly targeted individuals
2 replies 0 retweets 3 likes -
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you literally refuse to accept any job that isn't spending 100% of your time looking for 0day, the job market is smaller. There are still options, VRP and similar programs. If you want to do this successfully, you need to optimize your work differently.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
So if you're someone who wants to work in vuln research, and you don't get one of the few dozen jobs doing it for a company that reports the bugs immediately, what do you do? Bug bounties are getting better, but they don't pay the same.
3 replies 0 retweets 3 likes -
Replying to @tylerni7 @scriptjunkie1 and
I disagree, you just have to optimize your work differently. Prefer volume over quality, not wasting time improving reliability when you could be finding more bugs, and so on. If it will take you a month to turn a bug into an exploit, calculate if the reward justifies that, etc.
1 reply 0 retweets 2 likes -
If it is one month worth of work to complete an exploit, and in one month you can make 20 baseline crash bugs, then maybe it isn't the optimal decision. Take advantage of the more lucrative programs, the chrome fuzzer reward program for example.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
....or sell the bugs to brokers who sell to responsible parties and make more money. 20 crashes in Chrome is $40-$100k. Even without escaping the sandbox working RCE is more than that. If do that volume in 6mo-1year, one is comfortable, one is not
1 reply 0 retweets 1 like -
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you can rationalize leaving a billion users vulnerable to anyone who does the same thing you did - potentially very unpleasant people - you might make slightly more money. No argument there.
2 replies 1 retweet 1 like
I would say that if you were willing to optimize your workflow for VRP, the income would be similar, however.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.