Do you think writing exploits is still valuable

Disas_mainDisas_main Member Posts: 35 ■■□□□□□□□□
What you think is this still valluable skill or not. By exploits I mean format strings buffer overflows integer overflows... Not XSS or SQLi. Today most of the companies pay really big bounties for website but those who pay to secure there product aren't alot for example Oracle. Java is really wide-used and everybody know that JVM isn't so secure as it should be(mainly because of android), but they don't offer bounty program. Also Microsoft pays for vulnerabilities in IE but not for .Net framework. Those are just example of fundamental software, there are a lot of similar examples. So what is your option could you will make legal money with this skill or the only chance is to sell 0days?

Comments

  • linuxloverlinuxlover Banned Posts: 228
    Of course it does, anything you do is valuable it only depends in what context do you mean valuable. If you want to be a freelancer and make money that way then go for it, but it's not a stable career and you could also wind up in jail. Or you could disclose vulnerabilities in a professional manner and get your name out there, you could end up with a high paying job. It all depends on how you look at things and what you want out of them.
  • Disas_mainDisas_main Member Posts: 35 ■■□□□□□□□□
    linuxlover wrote: »
    Of course it does, anything you do is valuable it only depends in what context do you mean valuable. If you want to be a freelancer and make money that way then go for it, but it's not a stable career and you could also wind up in jail. Or you could disclose vulnerabilities in a professional manner and get your name out there, you could end up with a high paying job. It all depends on how you look at things and what you want out of them.

    You are right that you can get a lot of money. But those days most of the programs are written in high-level languages like Java and C#(not only user-level and phone applications but a lot of system software is written and re-written in such languages so the chances for such career get lower and lower with every
    passing day don't you think?
  • linuxloverlinuxlover Banned Posts: 228
    How can increase of high-level languages mean decrease of jobs that utilize those languages? I've never seen so many programming jobs advertising ever before.

    I don't quite get what you're trying to ask here. Are you looking to make a career out of writing exploits or just a quick-buck here and there? Because I don't believe it's possible to be writing exploits on a regular basis, as a full-time job. Security holes are found once in a while, mostly by accident. There are plenty of bug hunter programs out there, for example:

    https://bugcrowd.com/list-of-bug-bounty-programs/

    Some of them pay money, some not. You can make extra money that way besides your full-time job, do really good with time, get your name out there, lecture at Defcon and get a good paying job. There are plenty of companies looking for talented people and they will pay good money. Also a lot of USGOV recruiters can be found every year at Defcon looking for talent. Or, you can try selling your exploits as 0day risking jail time. If you do that, you need to understand that you will never be able to put those achievements on your resume, so essentially besides that dirty money you won't get any value out of it.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    A good portion of the noticeable attack surface these days are web applications, often because they are relatively easy to find and so many apps are given a web-based front end or API to leverage. With the pace and flurry of these apps being made and most developers lacking a security focus (partially due to deadlines and first-to-market considerations), most reported exploits tend to be centered around them.

    Buffer overflows and the like may still exist, but I'm guessing it takes more effort to find those.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    linuxlover wrote: »
    How can increase of high-level languages mean decrease of jobs that utilize those languages? I've never seen so many programming jobs advertising ever before. I don't quite get what you're trying to ask here.

    The OP is referring to companies writing software in 'safer', high-level languages that automatically handle the dirty work that a lower-level language would not do on its own; in effect reducing the attack surface and increasing the difficulty of finding something like a buffer overflow vulnerability. Add DEP and ASLR to the equation, and yes, it is much more difficult than ever. Even Java gets far less attention these days, with its last known 0-day being over 300 days ago.

    Now, is exploit writing still valuable? It can be, we've seen large bounties paid for Chrome, IE, and Firefox 0-days that were responsibly disclosed; however my understanding is those are typically discovered by teams of researchers dedicating large amounts of time to the project.

    I'm with Docrice, I think a smart move would be to focus on web application exploitation.
  • Disas_mainDisas_main Member Posts: 35 ■■□□□□□□□□
    YFZblu wrote: »
    The OP is referring to companies writing software in 'safer', high-level languages that automatically handle the dirty work that a lower-level language would not do on its own; in effect reducing the attack surface and increasing the difficulty of finding something like a buffer overflow vulnerability. Add DEP and ASLR to the equation, and yes, it is much more difficult than ever. Even Java gets far less attention these days, with its last known 0-day being over 300 days ago.

    Now, is exploit writing still valuable? It can be, we've seen large bounties paid for Chrome, IE, and Firefox 0-days that were responsibly disclosed; however my understanding is those are typically discovered by teams of researchers dedicating large amounts of time to the project.

    I'm with Docrice, I think a smart move would be to focus on web application exploitation.
    Learnin web exploitation is definitely good greate skill https://bugcrowd.com/ proof this, so many companies pay for exploitting their websites. But there are people(like me) who don't enjoy hacking web apps.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    You are talking about the work of exploit researcher, they are highly sought after by companies like madiant ,fireEye, core security, rapid7, tenable and immunity . In regards to webapplication pentest, custom scripts like python had its roots in it. A quick script would means an instant access to the system.

    And you would definitely want web app pentest over network pentest. You cannot be sure that a company hiring a network pentester is looking for a actual technical role or just someone to perform a vuln scan + reporting job. A job posting specifically looking Web app pentester however, shows determine the company is differentiating between web app pentest and normal pentesting, thankfully due to the fact that most web app flaws requires some form of manual verification.

    And if are interested in moving on to exploit researcher, you would require to cover on penetration testing somewhere in your life, and a job working on web app pentest projects definitely had serious network pentest project as well. Doing them would count towards related experience of exploit researcher.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Disas_main wrote: »
    You are right that you can get a lot of money. But those days most of the programs are written in high-level languages like Java and C#(not only user-level and phone applications but a lot of system software is written and re-written in such languages so the chances for such career get lower and lower with every
    passing day don't you think?

    Unfortunately no, because attackers are always on the move to write exploits to target financial companies, and there is an constant growing requirements to find this holes before someone else does and make a unethical use of it. The situation is made worse by developers constantly pushing out updates and softwares in limited project timeframe and budget requirements and companies hiring new developers fresh from university that still are slowed in integrating secure programming into their modules. Companies and developers also depends on packages that they would think its safe, however, many of this packages are develop within the same problem as mention above, that lead to the application being vulnerable, uses by financial institute which requires the help of companies that specialise in vulnerability research to find them before others do.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ Linux+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,718 Admin
    There was a series of presentations at Defcon 22 about bug bounties. Topics included how to sell vulnerabilities/exploits in the white/gray/black markets, what kind of money you can expect to make, and the legal problems involved. The presentation slides should be available before too long in the Defcon 22 media archives and the videos of the presentations before the end of the year.

    Look for the following:

    Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!
    Jake Kouns & Carsten Eiram

    Bug Bounty Programs Evolution
    Nir Valtman

    How to Disclose an Exploit Without Getting in Trouble
    Jim Denaro & Tod Beardsley
Sign In or Register to comment.