[2trill2spill]

So your saying someone who does security research but does not get paid is a researcher, but if someone else does the same research but they get paid their not a researcher?

So what if a security researcher is paid for their work? We don't say Lawyers are not Lawyers because their being paid and not doing work pro bono.

Remember security research takes lot's of time, skill and hardware they should be paid to do their work.

[sqeaky]

A person can do research on a salary. Demanding money because you found a 0-day in their software is scarily similar to blackmail.

There is plenty of room between blackmail and research. A professional researcher can draw a paycheck and release exploits as found.

[tptacek]

Doing work on your own time, with your own materials, and expecting to be paid for your work product is "scarily similar to blackmail"? Could you go into that a little bit more?

Exactly how are these "professional researchers" generating their paychecks?

(NB: I was one of those "professional researchers".)

[sqeaky]

Once a researcher has found an issue, demanding money after the is similar to blackmail.

Agreeing on money up front seems like a reasonable way, I also see no problem with bounty programs or even asking for more from bounty programs. Withholding a bug until a bounty is raised is were I would draw the line at blackmail.

[tptacek]

You haven't explained how it's anything at all like blackmail. Say I'm the researcher and you're the vendor. I'm offering to sell the product of my own work. You're free not to buy it from me. But you are in no way entitled to my work product!

[statictype]

The sole value of your "product" is to actively harm the vendor's product. It doesn't provide any other value (unless you want to claim that it can be sold for educational purpose).

[zpharer]

Couldn't that be compared to, say, selling protective sportswear. That is also selling protection from harm. Now if the researcher threatens to auction off the exploit...

[tptacek]

So don't buy it!