So, Pete Lindstrom's looking for vulnerability researchers with enterprise experience. Now I think I just barely qualify; not on the enterprise experience side (that I have quite a bit of experience in) - but on the research side (where I have less experience). However, there are a few names that leap to mind; for example, I immediately think of Alex Wheeler who not only punches holes in AV software, but also worked in one of the largest (if not the largest) insurance companies in the world. Now, my objective here is not to gainsay Pete, because I think he has a point; l think it is uncommon for people to have both enterprise and research experience.
But I don't think it's because practitioners in industry have a high moral standard that precludes them from working on vulnerability research; I also don't think it's because they fundamentally believe that vulnerability research contributes to the problem of patch mania and/or increased exposure to the enterprise. Not that Pete is saying any of those things, mind you. However, one could. Instead, I think that vulnerability research and industry do not go hand in hand for a totally different reason - I think it's about time and incentive.
In actuality, vulnerability research is a very time-intensive process. And the truth is that the majority of enterprise IT departments do not reward employees for finding bugs. Now, if you work for a product company (eEye, ISS, etc.), you might be rewarded for finding bugs. Even if you participate in a pay-for-research venue where you can actually sell your bugs, what are you going to earn? A thousand dollars? If it takes weeks to research and write up a bug and go through the rigmarole with the vendor (say conservatively 200 hours), you're talking about 5 dollars an hour. Oooooo, sign me up (not.) However, product companies that use vulnerability research as *marketing* have an entirely different perspective. How much is the front page of google news worth to them? Enough to incent their employees to look for bugs? You bet...
Posted by Ed at January 18, 2007 09:39 AM | TrackBack"Now, if you work for a product company (eEye, ISS, etc.), you might be rewarded for finding bugs."
eEye wouldn't even bother buying you lunch for finding flaws.. Its a joke..
Posted by: tom ferris at January 21, 2007 01:04 AM