| Can be lucrative, but time consuming. When I got home from work, I'd be straight on my computer looking for 0days. I'd basically do this most nights and weekends. While I was at work, I'd also be checking my fuzzers, seeing if I had any new exceptions. I'd even take holidays if I was working on something I was really interested in, or had found a bug and was trying to exploit it. I had quite a lot of fun for years doing it, though it was draining and I grew tired of it. When I'd see an exception I'd get so excited - it was like a constant rollercoaster of highs then it would flatten out to a middle area, eventually hitting low when your fuzzer was finding less bugs. I find the VR cycle goes like this, at least for me: * research your target - obtain a whole bunch of background knowledge, e.g. protocols or file specs. Hopefully you can find out what you want on-the-line, otherwise you have to try your best at reverse engineering (RE) your target. * depending on how you're hunting for vulns, you'll be doing either fuzzing or binary analysis (RE). So if you're fuzzing, you need to write your fuzzer. The offset on time regarding fuzzing vs binary analysis (a topic of its own!) I usually find comes out relatively evenly (target dependant however). * running your fuzzer (obviously not required if you're doing binary analysis) * going through your exceptions, narrowing them down based on exploitability from the little crash dump info you have. Then figuring out what caused the crash. This can be quite difficult and time consuming depending on your target, for example, analysing a crash in a compressed stream in an adobe reader document. Again, as an example, if you have 10 unique crashes this can take a while. * now that you understand what went wrong and you believe it is exploitable, you need to figure out how to do just that. I like to think exploitation is a field of its own. Some of the best exploit writers dont do so well finding 0days, but exploiting them is another story! * then the easy part, mail your people and wait to see an offer. You need to be able to motivate yourself to do well in VR. As I mentioned at the top of this post, seeing an exception would be a pretty big high for me, chasing this is what I think enabled me to do it for so long. All this takes so much time, from a couple of hours to days to months. While I'm on it, I often hear people say you need to be smart to do this type of stuff. Not true. Persistence is what is required. Being smart only takes you so far. In the end, there's easier ways to make money, though I wouldn't be where I am now if I never did vuln research (VR). Still got friends that do it now, they never seem to tire from it! I would highly recommend anyone getting into security to do VR for a period of time. Release a bunch of bugs responsibly to the public for free - it gets your name out there (can be worth more than the bug itself in the end). Only after you've released a few publicly should you look at selling the next. You learn lots of different skills you'll use throughout your security career and it will put you into that top tier of security professionals. I still do a bit here and there. Its not as stimulating as it used to be for me anymore. :( Overall, its a pretty awesome life. * Apologies if there are typos above, didnt have time to review it. |