Do you think writing exploits is still valuable

What you think is this still valluable skill or not. By exploits I mean format strings buffer overflows integer overflows... Not XSS or SQLi. Today most of the companies pay really big bounties for website but those who pay to secure there product aren't alot for example Oracle. Java is really wide-used and everybody know that JVM isn't so secure as it should be(mainly because of android), but they don't offer bounty program. Also Microsoft pays for vulnerabilities in IE but not for .Net framework. Those are just example of fundamental software, there are a lot of similar examples. So what is your option could you will make legal money with this skill or the only chance is to sell 0days?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

linuxlover

Of course it does, anything you do is valuable it only depends in what context do you mean valuable. If you want to be a freelancer and make money that way then go for it, but it's not a stable career and you could also wind up in jail. Or you could disclose vulnerabilities in a professional manner and get your name out there, you could end up with a high paying job. It all depends on how you look at things and what you want out of them.

Disas_main

linuxlover wrote: »

Of course it does, anything you do is valuable it only depends in what context do you mean valuable. If you want to be a freelancer and make money that way then go for it, but it's not a stable career and you could also wind up in jail. Or you could disclose vulnerabilities in a professional manner and get your name out there, you could end up with a high paying job. It all depends on how you look at things and what you want out of them.

You are right that you can get a lot of money. But those days most of the programs are written in high-level languages like Java and C#(not only user-level and phone applications but a lot of system software is written and re-written in such languages so the chances for such career get lower and lower with every
passing day don't you think?

linuxlover

How can increase of high-level languages mean decrease of jobs that utilize those languages? I've never seen so many programming jobs advertising ever before.

I don't quite get what you're trying to ask here. Are you looking to make a career out of writing exploits or just a quick-buck here and there? Because I don't believe it's possible to be writing exploits on a regular basis, as a full-time job. Security holes are found once in a while, mostly by accident. There are plenty of bug hunter programs out there, for example:

https://bugcrowd.com/list-of-bug-bounty-programs/

Some of them pay money, some not. You can make extra money that way besides your full-time job, do really good with time, get your name out there, lecture at Defcon and get a good paying job. There are plenty of companies looking for talented people and they will pay good money. Also a lot of USGOV recruiters can be found every year at Defcon looking for talent. Or, you can try selling your exploits as 0day risking jail time. If you do that, you need to understand that you will never be able to put those achievements on your resume, so essentially besides that dirty money you won't get any value out of it.

docrice

A good portion of the noticeable attack surface these days are web applications, often because they are relatively easy to find and so many apps are given a web-based front end or API to leverage. With the pace and flurry of these apps being made and most developers lacking a security focus (partially due to deadlines and first-to-market considerations), most reported exploits tend to be centered around them.

Buffer overflows and the like may still exist, but I'm guessing it takes more effort to find those.

YFZblu

linuxlover wrote: »

How can increase of high-level languages mean decrease of jobs that utilize those languages? I've never seen so many programming jobs advertising ever before. I don't quite get what you're trying to ask here.

The OP is referring to companies writing software in 'safer', high-level languages that automatically handle the dirty work that a lower-level language would not do on its own; in effect reducing the attack surface and increasing the difficulty of finding something like a buffer overflow vulnerability. Add DEP and ASLR to the equation, and yes, it is much more difficult than ever. Even Java gets far less attention these days, with its last known 0-day being over 300 days ago.

Now, is exploit writing still valuable? It can be, we've seen large bounties paid for Chrome, IE, and Firefox 0-days that were responsibly disclosed; however my understanding is those are typically discovered by teams of researchers dedicating large amounts of time to the project.

I'm with Docrice, I think a smart move would be to focus on web application exploitation.

Disas_main

YFZblu wrote: »

The OP is referring to companies writing software in 'safer', high-level languages that automatically handle the dirty work that a lower-level language would not do on its own; in effect reducing the attack surface and increasing the difficulty of finding something like a buffer overflow vulnerability. Add DEP and ASLR to the equation, and yes, it is much more difficult than ever. Even Java gets far less attention these days, with its last known 0-day being over 300 days ago.

Now, is exploit writing still valuable? It can be, we've seen large bounties paid for Chrome, IE, and Firefox 0-days that were responsibly disclosed; however my understanding is those are typically discovered by teams of researchers dedicating large amounts of time to the project.

I'm with Docrice, I think a smart move would be to focus on web application exploitation.

Learnin web exploitation is definitely good greate skill https://bugcrowd.com/ proof this, so many companies pay for exploitting their websites. But there are people(like me) who don't enjoy hacking web apps.

LionelTeo

You are talking about the work of exploit researcher, they are highly sought after by companies like madiant ,fireEye, core security, rapid7, tenable and immunity . In regards to webapplication pentest, custom scripts like python had its roots in it. A quick script would means an instant access to the system.

And you would definitely want web app pentest over network pentest. You cannot be sure that a company hiring a network pentester is looking for a actual technical role or just someone to perform a vuln scan + reporting job. A job posting specifically looking Web app pentester however, shows determine the company is differentiating between web app pentest and normal pentesting, thankfully due to the fact that most web app flaws requires some form of manual verification.

And if are interested in moving on to exploit researcher, you would require to cover on penetration testing somewhere in your life, and a job working on web app pentest projects definitely had serious network pentest project as well. Doing them would count towards related experience of exploit researcher.

LionelTeo

Disas_main wrote: »

You are right that you can get a lot of money. But those days most of the programs are written in high-level languages like Java and C#(not only user-level and phone applications but a lot of system software is written and re-written in such languages so the chances for such career get lower and lower with every
passing day don't you think?

Unfortunately no, because attackers are always on the move to write exploits to target financial companies, and there is an constant growing requirements to find this holes before someone else does and make a unethical use of it. The situation is made worse by developers constantly pushing out updates and softwares in limited project timeframe and budget requirements and companies hiring new developers fresh from university that still are slowed in integrating secure programming into their modules. Companies and developers also depends on packages that they would think its safe, however, many of this packages are develop within the same problem as mention above, that lead to the application being vulnerable, uses by financial institute which requires the help of companies that specialise in vulnerability research to find them before others do.

JDMurray

There was a series of presentations at Defcon 22 about bug bounties. Topics included how to sell vulnerabilities/exploits in the white/gray/black markets, what kind of money you can expect to make, and the legal problems involved. The presentation slides should be available before too long in the Defcon 22 media archives and the videos of the presentations before the end of the year.

Look for the following:

Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!
Jake Kouns & Carsten Eiram

Bug Bounty Programs Evolution
Nir Valtman

How to Disclose an Exploit Without Getting in Trouble
Jim Denaro & Tod Beardsley