0-day + Resume

I know a lot of black hats destroy the market in one way or the other. They find vulnerabilities, then post on bugtraq and get the credit for. So, they can put in their resume and get a good security-related job.
This is bad for hackers because the 0-days doesn't stay this way for too long because they posted on bugtraq, so the developers know and fix them.
This is also bad for the developers that need to keep in track with bugtraq checking for vulnerabilities in order to patch their programs.
My question is, is it any good to put in your resume that you are the founder of the vulnerability "xyz"? I would think yes, if you work in the security field.
Now, I don't even have a job yet, and found myself in that complicated situation. I don't know what to do.
Post on bugtraq? Contact the devs? Put on my resume?
Inputs will be much appreciated.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

sprkymrk

Can you contact the vendor first to give them time to publish a fix?

gabrielbtoledo

I guess I could. But the whole point is, should I include that in my resume? Even not having experience in an IT job.
Will employees look at my resume as....ohhh a hacker, instead of ohhh a security minded guy???

Sie

Guess it really depends on how you word it and what job position you are applying for.

I think if its not security focused obviously they are going to look at it in a bad way, as with all resumes they have to be taylored and re-written for each job position you apply for, much better results than a default one for all.

But even if ti is security focused be careful how it is worded. Its a fine line, maybe some of the people in hiring positions etc on the forum can contribute their view, IE: if they saw it on a applicants resume / CV ??

supertechCETma

a single listing on bugtraq I would consider dubious.
experience is experience.

gabrielbtoledo

supertechCETma wrote:

a single listing on bugtraq I would consider dubious.
experience is experience.

Would you mind explaining a little better? What would you consider dubious?
Thanks for the comments so far.

supertechCETma

gabrielbtoledo wrote:

supertechCETma wrote:

a single listing on bugtraq I would consider dubious.
experience is experience.

Would you mind explaining a little better? What would you consider dubious?
Thanks for the comments so far.

The root word of security is secure. If you are trying to convince someone that you are qualified and that they should entrust you with their data and systems, you should try and project an image of reputable responsibility. I don't think an association with bugtrac is going to give prospective employers a warm and fuzzy feeling about your qualifications. Now, if you had a lengthy reputation and an established presence, then it might count for something.

$.02

sprkymrk

If you can word it in such a way as:

Additional Experience:
Discovered and informed vendor XYZ of a moderate security vulnerability in their popular DooHickey software. Received a letter of commendation from their lead developer for enabling them to implement a patch before the exploit was known to the public.

Of course, this assumes you did inform the vendor and they did email a positive acknowledgement of some sort. If you just say "I posted this vulnerability on bugtraq" then it would look more (to me) like you were trying to take the easy way to get a reputation, rather than take the more difficult path of working with a vendor to show a spirit of concern and cooperation for security as a whole.

Does that make sense or did I just babble? Sometimes I am a legend in my own mind...

gabrielbtoledo

supertechCETma: I'm not trying to pose as a security expert. I know my way around, but nothing compared with some that does this for living. I'm not even trying to get a job a security guy. However, it's my goal one day be a reputable security consultant or something like that.
I was just thinking if it was worth to put that discovery on my resume. If it would help to make a better resume, or maybe it would only make myself look like a fool or wannabe.

sprkymrk: Those guys never responded to me. I think they think I'm joking or they might be busy and don't have the time to respond.
This vulnerability is so dangerous and serious. I wish they would contact me.

Anyway, thanks for all your comments.

Sie

Those guys never responded to me. I think they think I'm joking or they might be busy and don't have the time to respond.
This vulnerability is so dangerous and serious. I wish they would contact me.

You may find they are looking into it.

Also if your a respected software developer would you readily admit to the world that you had such a "vulnerability is so dangerous and serious" ??

gabrielbtoledo

I don't think they are looking into it. I never provided any info about the vulnerability on my emails.
Also, it's nothing to be ashamed. I haven't seen a software without bugs. And they had entries on bugtraq(securityfocus) on past versions of the same software. So, it'a normal thing.