I can sympathize with her strife, but she is on the path to seriously burn bridges. I can't imagine many security focused companies would touch her with a 10 foot pole now that she publicly admitted that she is willing to sell a 0day for profit. Sure she is going through a rough time, but even when angry, you have to not say things you regret, especially online.
EDIT: Did not realize selling bugs outside of bug bounty programs and related bug programs was a normal thing. Now I know.
>I can't imagine many security focused companies would touch her with a 10 foot pole now that she publicly admitted that she is willing to sell a 0day for profit.
Selling 0days for profit isn't the issue. The more pressing issue, considering she seems to be desperately looking for an employer, is that she has aired her life openly, honestly, and unfiltered through the same channels as her professional work. Sorry, but any serious employer isn't going to hire somebody who is openly unstable, especially not the "suicidal/disappearing for months at a time" unstable.
I'd recommend reading the rest of her twitter posts, plus the content she has published on her website, to get a better idea of her character. While she has a moderate amount of technical ability in her specific niche, it's nowhere near the level that would justify hiring past all of the red flags.
It's unfortunate, but she really needs to re-invent her online presence by decoupling her severe emotional issues from her showcased professional work.
In the security industry, selling a 0day for profit is not taboo at all. Some of the most well known researchers openly do this, and they are very employable.
Some companies have policies that don’t allow you to sell them while employed there (it’s awkward when your employee sells a bug in software sold by a client/partner/competitor/supplier), but they wouldn’t generally blacklist anyone who had sold bugs in the past.
I think it's a grey area, and the seller has to do research into the buyer. It's kind of like if you're an authorized firearms dealer. There's no issue selling to the general population, but if you knowingly sell to someone who intends to use it for a crime, then you can get arrested. That's what the researcher who stopped the WannaCry worm was arrested for; the FBI had logs showing that he'd helped build a tool to spy on Android devices, and that he knew the buyer was going to use it to commit crimes.
Not all 0 day vendors are shady either. At an old employer, we were authorized to purchase 0 days with company money to use during penetration tests because they wanted us to emulate state-sponsored attacks. The vendor had a website for their company and customer support as well. Immunity Canvas also has an optional subscription for 0 days you can purchase to use with their framework.
Sure, under what theory of law wouldn't it be? I mean, assuming of course that there is no insider dealing here, that they didn't have any hand in creating the security vulnerability themselves (or inducing its creation), but that they only discovered something out there in the world, then they have the right to talk about that as they see fit. Or not, or sell it. There may be social consequences, and if they're employed by someone else there could be terms in their contract covering that or a range of other legal behavior, but publishing/selling true information one discovers is protected under general law (and common sense frankly). It could be different if the entity they were selling to was itself a criminal enterprise and they knew or should have known that ("a reasonable person would have"), but even that is not an issue for government agencies, or selling it to the responsible developer, or to generalist security middlemen companies that do things like buy these up and then sell special early notice to their clients or such. There are legal entities that are willing to pay for some exploits, and it's legal to sell to them.
Many security researches voluntarily have decided on a moral level that they care about general security welfare most of all and that following specific standards and timelines of disclosure will maximize that, but even with the same goal reasonable people can disagree there too right up until full disclosure immediately. Some are just paid for that, because like open source an organization might decide that better security overall will ultimately be good for their bottom line (like Google). And some people just want fame or to put food on the table via their unique marketable skills, which is their call too.
It's questionable, and doing it wrong can get you sued or worse. Here's [1] EFF advice on it, but as usual getting a lawyer knowledgeable in the area is your best bet.
Most people that publish play with fire but have learned some boundaries making it somewhat safe.
As a transgender person, this is all that happens in our lives to be honest. It's very tough to have anything but a 'rough time' when the general public views you weirdly, and your family/friends have completely abandoned you.
But these bridges aren't being burned as a result of this person being trans, the bridges are being burned as a result of this person dropping 0 days and associating the professional vuln research with personal anti-social posts.
I don't think you are contradicting prolikewh0a's point. To rephrase their point in terms of your language, it's difficult to not be (openly) anti-social if you feel like society is anti-you.
Not impossible and not necessarily excusable. Just... difficult.
>it's difficult to not be (openly) anti-social if you feel like society is anti-you.
This is really accurate. I've really had to work on making good decisions and working on some slight anger issues during my transition after pretty much all of my family abandoned me, a lot of my friends started making fun of me publicly or just abandoned me totally. It's a significant reason why I moved across the country to Seattle -- a more open and accepting area of the USA -- to make new friends and get a job that was very open to LGBT persons. It's still tough, but the life change, surrounding myself with people who support me, really helped.
Unfortunately, depression and anxiety don't really limit themselves to a specific domain, and the anxiety of gender dysphoria is pretty all-consuming since you can't really stop being reminded of it
Applying armchair psychology and a tiny bit of my own experience with trying to express frustration, I think this is using melodramatic/caricaturized negative articulation to express opposites to the point being made.
As in, this person wants the opposite of everything being stated, and they're frustrated to the point of saying "of course I want everything to be going as badly as it is". I honestly don't read this any other way.
I didn't mean in terms of a bug bounty. I meant in terms of trying to sell it to something like a foreign gov't or deep web entity. The other guy above said the same thing as you, I did not know at all that researchers sold bugs separately from bug bounty programs.
Frankly, the only reason this doesn't happen more often is that it's hard. Unless you know the right people, finding a buyer for a bug like this is nearly impossible these days. The more legitimate routes are easier, faster, and require less work -- for instance, no need to have a solid exploit, just a good write-up.
There are ethical issues surrounding brokers like Zerodium, Grugq, et. al. Specifically, that 95% of the time you know that bug is going to NSA, CIA, FBI, DoD, GCHQ, BND, Mossad, etc.
You're absolutely right. Many good, wonderful, amazing people consider that an ethical concern sufficient to stop them in their tracks!
It's perhaps possible that some people, in some scenarios, might be willing to compromise on the ethics of their situation in exchange for a significantly higher chance of a much, much higher payout.
EDIT:
To expand slightly, anyone in a position to pay out for bug bounties should consider carefully what they are willing to do to shift incentives towards ethical behavior. The ability to attack your systems is worth money to those who would do so. It should be worth more to you than to them. How much are you, hypothetical person making such choices, willing to spend?
It's perhaps unfair to expect highly skilled people to take a 90%+ discount on the value of their work in order to be more ethical. Ethics are incredibly important! But it can be difficult to argue that successfully in the face of a breathtaking ask.
Then the bug bounty programs can step up and pay what bugs are actually worth. The right bug in windows could decimate their entire os market, but most companies that i've seen tend to pay some flat rate for bugs.
Thus my point: until bug bounties are calculated to approach or exceed the black or grey-market value of exploits, they can't strongly push people towards ethical behavior.
Right now bug bounties seem mainly to serve as a way for skiddies in the third world with burp to make for-them-bank on trivial XSS vulns and for serious professionals to make a little extra money. And, y'know, to serve the PR purpose of being able to say you have a bug bounty program.
What stops someone from "leaking" the bug after getting paid, or getting paid multiple times for the same 0-day? You know, to even the playing field from just the TLAs from having all of the fun?
You get significantly more money - some exploits are worth $100-250k. You just need to ask in underground hacker forums and not on Twitter. But doing business with those guys is hard af because no one can trust each other.
A popular trade-off is to work for a government contractor. You can get that kind of money as a salary, and the trust issues are all taken care of. Having a real salary is helpful if you want to get a loan to buy a house. It evens out your finances.
Somebody like SandboxEscaper would qualify technically, but I have a feeling that running off randomly to foreign countries and hinting at a possible suicide would be disqualifying. The government frowns on that sort of stuff when sorting out trust issues.
Possibly because they didn't think there was a market for legitimate use of such information, and selling something for clear use in a criminal act is a different story, and may even be criminal in itself depending on circumstances. Even if the industry accepts that (not implying that it does), openly airing it might be a different matter.
Some level of assumption is often required to efficiently converse, so we just have to accept that occasionally the assumptions are a little more off base than we would like.
.. how could you not, the valley and the great tech industry are rife with libertarianism. 0-Days are a market like any other either companies pay researchers the market rate so they can fix their bugs before they get sued by their customers or they don't in which case any number of less reputable sources will pay for them.
Absolutely. I always thought that if you can find multiple 0days, you are good enough to land into any senior developer position in a few weeks. Is that not the case? And why? To me, being able to find 0days was always synonymous with "broad knowledge" + "out of the box thinking".
I always found that while I could probably spend 6-8 months studying to try to land a job at one of the big tech companies to do RE/security research/malware analysis or whatever you want related to that, I usually got more interested in reverse engineering something new and quickly got bored reviewing the details of binary search trees.
Limits jobs at the big 4/5 as nearly every job that involves security research/RE will inevitably still have the standard leetcode algorithms whiteboard interview, but there's plenty of other stuff out there if you're willing to put together a decent portfolio. The few exceptions to that are being so famous you can make it to recognized teams, but that isn't a realistic goal for most engineers.
If there's a company you really, really want to work for, you can responsibly disclose something to them and at least get an in-person. Skip the phone algorithms test and go right to the whiteboard! Heck yeah.
Being good at reverse engineering, analysis, and programming are almost completely orthogonal to being able to implement 5 variations of search algorithms from memory on a whiteboard in syntactically correct code.
