Remix.run Logo
tptacek 5 hours ago

I am seeing something closer to the opposite of skepticism among vulnerability researchers. It's not my place to name names, but for every Halvar Flake talking publicly about this stuff, there are 4 more people of similar stature talking privately about it.

decidu0us9034 3 hours ago | parent [-]

People use whatever tools are the most effective and they have plenty of incentive not to talk publicly about them. I think the era of openness has passed us by. But why does stature matter anyway? If I look at chromium or MSRC bug reports, scarcely any of the submitters are from Europe/US and certainly don't have anything resembling stature. That guy hasn't done anything of note in the field in a long time from what I know, he's kind of boomer (you too, no disrespect).

lich_king a few seconds ago | parent [-]

Vulnerability research is exciting and profitable, but it has three problems. First, it's mentally exhausting. Second, the income it generates is very unpredictable. Third, it's sort of... futile. You can find a 1,000 vulnerabilities and nothing changes.

So yeah, it's the domain of young folks, often from countries where $10k or $100k goes much farther than in the US. But what happens to vulnerability researchers once they turn 35? They often end up building product security programs or products to move the needle, often out of the limelight because they no longer have anything to prove.

When you dunk on "boomers", you're dunking on people who are running teams that build browser mitigations, detection mechanisms, in-house fuzzing infrastructure for companies like Nvidia, and so forth. And yeah, they often know what they're doing and they're the one writing checks for the young uns to test these defenses and report more bugs.