[_b8r0]

One of the easiest ways to find bugs is to look at CVE releases in software and identify similar software.

For example, if there's a bug in libfoo's ASN.1 structure parsing, then chances are that any implementation of the same structure parsing is going to have similar or identical bugs. It might not be the same field, but this certainly tends to do well as a strategy for finding bugs in libraries, file format bugs and complex network services.

I can't speak for Google Zero, but from the people I know there, they tend to look at a broad area of interest, research it painstakingly and then drill down deep while the bugs drop out. A good example of this is James Forshaw's work on Windows kernel bugs, which started as looking into the Windows file structure and alternate data streams and has slowly morphed over time into walking through Windows' local attack surface.

Again, people I know who have spent far too much time looking for bugs in specific pieces of software tend to take the deep dive approach as it yields more interesting bugs. The broad at-scale reimplementation approach finds bugs, but they're not as interesting.