I think that might be a false dichotomy 
-
-
Replying to @taviso @scriptjunkie1 and
I'm with
@scriptjunkie1 . The false dichotomy is thinking Alice gets to choose between (a) reporting bugs to vendors full time or (b) selling bugs to responsible brokers. (a) doesn't pay a salary. So the choice is between (b) and not looking for bugs at all.2 replies 0 retweets 6 likes -
Replying to @tylerni7 @scriptjunkie1 and
You're just restating the same false dichotomy. Secondly, it's just plain wrong, it's absolutely possible to work in security research without having to sell exploits. There is no moral dilemma here.
1 reply 1 retweet 5 likes -
Replying to @taviso @scriptjunkie1 and
Working in security? Absolutely. But 98% of people in security aren't looking for 0days. Neither for governments nor to report to vendors. And sadly, most security jobs have very little impact making it harder for bad actors to use exploits against highly targeted individuals
2 replies 0 retweets 3 likes -
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you literally refuse to accept any job that isn't spending 100% of your time looking for 0day, the job market is smaller. There are still options, VRP and similar programs. If you want to do this successfully, you need to optimize your work differently.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
So if you're someone who wants to work in vuln research, and you don't get one of the few dozen jobs doing it for a company that reports the bugs immediately, what do you do? Bug bounties are getting better, but they don't pay the same.
3 replies 0 retweets 3 likes -
Is this now a question of individual freedom to work your dream job, but on the expense of everyone else staying/being vulnerable?
1 reply 0 retweets 2 likes -
Replying to @Rainer_Rehak @taviso and
If my dream job is "find exploits" and I can't get a job doing that for a company that gives them away for free to vendors, then I either choose "sell exploits to responsible parties" or "leave the exploit finding to the malicious parties".
1 reply 0 retweets 2 likes -
Replying to @tylerni7 @Rainer_Rehak and
You sure like this false dichotomy.
1 reply 0 retweets 0 likes -
Replying to @taviso @Rainer_Rehak and
And you sure like thinking bug bounties are a good source of income :P I know people that successfully do both sides of my dichotomy. I don't know anyone who makes the same money off of vendor bug bounties.
2 replies 0 retweets 1 like
I do think that, because I do know people who do it and make a comfortable living. You talk like your only options are living in the gutter or selling exploits to the military, there is a third option, I promise!
-
-
Replying to @taviso @Rainer_Rehak and
That's fair. I definitely don't know everyone and might be missing useful datapoints. Should be public knowledge since payouts tend to be public? But there are probably good reasons you work at Google and aren't independently making a living off of bug bounties.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.