| There's no one-size-fits-all answer to your question just as there isn't to questions like why someone wants to be a programmer, or a startup founder. The micro-motivations of individuals doing this sort of work can be all over the map from person to person. But as someone who very occasionally does such things (but isn't looking to "make a name" for myself as a security researcher, which is often a motivation): 1) The initial motivation isn't so much about documenting security flaws, but finding them in the first place. It is a very hands-on immediate-results-oriented type of problem solving where you look at a system that is intended (or should be intended, based on what it is doing) to be secure and find ways in which the security is lacking. 2) From there, informing the company is just about being a decent net citizen. If you can work around their security from the outside, other (potentially more nefarious) people can too, and in most cases the company simply doesn't realize they have a security problem, so informing them is good for everyone. 3) From there, if they refuse to fix the problem and it is very legitimately a security issue, responsible full disclosure (with a solid window of not talking about the bug publically, I go with Google's 60-day window as a guideline) is about being a decent net citizen toward the product's users (if not the product's company). If they have gaping security flaws in their product that they won't fix, users who could and likely will get screwed by them deserve to know so they can make an informed decision as to whether the company they are using is adequately protecting their interests. But as I said, everyone is different, for some people they are mostly resume building a collection of public CVEs on their way to a security research position, for me it is just a fun very occasional hobby and I've not publicly disclosed a gaping security flaw since the mid-1990s because most companies will do the right thing in fixing real security issues if poked a bit these days. |
With respect to this would you say that there is a bit of a buzz when the company acknowledges and pats you on that back and says "hey thanks good job" (like your elementary school teacher?).
So taking this one step further I would say if that is the case then it becomes a big motivating factor, especially if the reinforcement is intermittent. Because you are searching for the next hit of approval.
Agree? Or?