[kenperkins]

People who find vulnerabilities purely for the bounty seem to fit the classical definition of Bounty Hunters or Mercenaries. Certainly not researches. They're not in it for the academic benefit or advancing the state of the art. They're in it for the cash.

[2trill2spill]

So your saying someone who does security research but does not get paid is a researcher, but if someone else does the same research but they get paid their not a researcher?

So what if a security researcher is paid for their work? We don't say Lawyers are not Lawyers because their being paid and not doing work pro bono.

Remember security research takes lot's of time, skill and hardware they should be paid to do their work.

[sqeaky]

A person can do research on a salary. Demanding money because you found a 0-day in their software is scarily similar to blackmail.

There is plenty of room between blackmail and research. A professional researcher can draw a paycheck and release exploits as found.

[tptacek]

Doing work on your own time, with your own materials, and expecting to be paid for your work product is "scarily similar to blackmail"? Could you go into that a little bit more?

Exactly how are these "professional researchers" generating their paychecks?

(NB: I was one of those "professional researchers".)

[sqeaky]

Once a researcher has found an issue, demanding money after the is similar to blackmail.

Agreeing on money up front seems like a reasonable way, I also see no problem with bounty programs or even asking for more from bounty programs. Withholding a bug until a bounty is raised is were I would draw the line at blackmail.

[tptacek]

You haven't explained how it's anything at all like blackmail. Say I'm the researcher and you're the vendor. I'm offering to sell the product of my own work. You're free not to buy it from me. But you are in no way entitled to my work product!

[statictype]

The sole value of your "product" is to actively harm the vendor's product. It doesn't provide any other value (unless you want to claim that it can be sold for educational purpose).

[wildmusings]

What? So unlike every other profession, you're not a real infosec researcher unless you're not in it for the money? Just about everyone does their job for the money. Are we all mercenaries too?

[sgift]

Last time I checked our society tells us that striving for money is the way to go, so why should researches be hold to different standards? If you don't like the game, change the rules - don't blame the players.

[tptacek]

This is a weird kind of ownership you've taken over the word "researcher". There are all sorts of people traditionally described as researchers, and many of them are private and for-profit.

[dogma1138]

So researchers that build weapons aren't researchers?