I'm with @scriptjunkie1 . The false dichotomy is thinking Alice gets to choose between (a) reporting bugs to vendors full time or (b) selling bugs to responsible brokers. (a) doesn't pay a salary. So the choice is between (b) and not looking for bugs at all.
-
-
Replying to @tylerni7 @scriptjunkie1 and
You're just restating the same false dichotomy. Secondly, it's just plain wrong, it's absolutely possible to work in security research without having to sell exploits. There is no moral dilemma here.
1 reply 1 retweet 5 likes -
Replying to @taviso @scriptjunkie1 and
Working in security? Absolutely. But 98% of people in security aren't looking for 0days. Neither for governments nor to report to vendors. And sadly, most security jobs have very little impact making it harder for bad actors to use exploits against highly targeted individuals
2 replies 0 retweets 3 likes -
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you literally refuse to accept any job that isn't spending 100% of your time looking for 0day, the job market is smaller. There are still options, VRP and similar programs. If you want to do this successfully, you need to optimize your work differently.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
So if you're someone who wants to work in vuln research, and you don't get one of the few dozen jobs doing it for a company that reports the bugs immediately, what do you do? Bug bounties are getting better, but they don't pay the same.
3 replies 0 retweets 3 likes -
Replying to @tylerni7 @scriptjunkie1 and
I disagree, you just have to optimize your work differently. Prefer volume over quality, not wasting time improving reliability when you could be finding more bugs, and so on. If it will take you a month to turn a bug into an exploit, calculate if the reward justifies that, etc.
1 reply 0 retweets 2 likes -
If it is one month worth of work to complete an exploit, and in one month you can make 20 baseline crash bugs, then maybe it isn't the optimal decision. Take advantage of the more lucrative programs, the chrome fuzzer reward program for example.
1 reply 0 retweets 1 like -
Replying to @taviso @scriptjunkie1 and
....or sell the bugs to brokers who sell to responsible parties and make more money. 20 crashes in Chrome is $40-$100k. Even without escaping the sandbox working RCE is more than that. If do that volume in 6mo-1year, one is comfortable, one is not
1 reply 0 retweets 1 like -
Replying to @tylerni7 @scriptjunkie1 and
Sure, if you can rationalize leaving a billion users vulnerable to anyone who does the same thing you did - potentially very unpleasant people - you might make slightly more money. No argument there.
2 replies 1 retweet 1 like -
Replying to @taviso @scriptjunkie1 and
As much as people like to shit on them, the US Gov also is able to save lives thanks to its offensive cyber programs. They aren't angels who do no wrong, but I think they do net positive. I also don't think bad folks use 0days against billions, only very targeted folks
2 replies 0 retweets 2 likes
That is a dishonest tweet that misrepresents the argument. When you say "It's okay because only sell exploits to the good guys", the problem is you can't stop bad people finding and exploiting the same bug, and *that's* the problem.
-
-
Replying to @taviso @scriptjunkie1 and
I get that 100%, I agree selling exploits to folks that don't report means good people are vulnerable to the same bugs. But going and working in an unrelated area (not bug bounties, not p0, not selling to brokers) still leaves bad people able to find those bugs.
1 reply 0 retweets 0 likes -
I do hope that what most of us do pushes everyone in the right direction to be "more secure". *But* I also think the US Gov and others have legit uses for 0days, and that espionage saves lives. I think it's unfair to paint everyone who agrees with that as unethical.
1 reply 0 retweets 2 likes - 11 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.