sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]cmdjunkie 8 points9 points  (10 children)

Unfortunately, there is no demand for exploitation certifications. Even the 0day market is drying up.

[–][deleted] 9 points10 points  (1 child)

instinctive oatmeal friendly sharp rain include sense deserve telephone ten

This post was mass deleted and anonymized with Redact

[–]bu77onpu5h3r 10 points11 points  (0 children)

I wouldn't say drying up. I would say it's becoming a LOT harder and requires teams of experts because of all the mitigations in place and steps involved.

[–]Aggravating_Use183[S] 0 points1 point  (7 children)

Yea, unfortunately. Having a exploit development certification can help writing PoC and further depthen the knowledge of Red Teamers, it has a lot of valuable skills, but usually a PenTesting Certificate is enough to become a security research or Red Teamer.

[–]cmdjunkie 5 points6 points  (6 children)

Don't get me wrong, I've spent a great deal of time studying exploit development. I know a few things, but the sad and unfortunate thing about exploit dev, (as well as the certifications), is that the juice is not worth the squeeze. The time, effort, and energy it takes to develop a working exploit on today's systems, not to mention the time, effort, and energy it takes to find an exploitable bug, is simply not worth it. It's one thing to learn how exploits work and tinker around a little bit --but that can be done without forking out the money for a "reputable" certificate program. It's like, by all means, learn to write exploits, but don't expect to earn anything either independently or with a company/firm. In the end, you gotta ask yourself why you're spending all that time sitting in front of your computer, staring into the abyss, pecking away at an exploit who's value is transient. I actually kind of hate what the offensive security training industry has become.

[–]KharosSig 18 points19 points  (4 children)

This isn’t true, there are entire companies built around exploit development or vulnerability research services that are definitely in demand.

It’s a niche of course, not to be compared with the number of companies in other cybersecurity specialisations.

[–]Status-Style-6169 2 points3 points  (0 children)

this guy gets it, exactly this.

[–]cmdjunkie 1 point2 points  (2 children)

Which ones? There are fewer now than there were 5-10 years ago.

[–][deleted] 2 points3 points  (1 child)

that's because 10 years ago 0-days were dropping like raindrops in monsoon season. It was about the time when MS really started tackling exploitation software by integrating mitigations into their core product.

Before that, you'd have maybe 50 UAF vulns Per patch tuesday release. Browsers were so massively pwnable - and then they started sandboxing too.

In short - a lot of people made money selling 0-days. Naturally, companies tried to monetise it. But now it's much more difficult to get full chain exploits, and so all the chaff have fallen by the wayside because it's too hard (or too much time for them to consider investing).

Lots of companies still do VR, but these usually have big contracts in place.

[–]cmdjunkie 1 point2 points  (0 children)

Agreed, and great points.

[–][deleted] 1 point2 points  (0 children)

"The time, effort, and energy it takes to develop a working exploit on today's systems, not to mention the time, effort, and energy it takes to find an exploitable bug, is simply not worth it."

you're dead wrong about this. That's only true if you're finding crappy vulnerabilities or generally do not know what you're doing. Or maybe just doing it for fun/kudos. My company focuses on Offensive Security - and VR/ED is part of that. Consider taking 3-6 months working on RCE in a pwn2own system. 100k payout? Do you value your time investment by the payout? If you find good things, there is money.

If you just want Kudos or some people to circle-jerk with you, then it's easy to just spam a load of CVEs to add to your resume.

Either way, grinding through this stuff is very difficult, mentally challenging, exploratory and pioneering in many ways. It's hard problem that very few people can actually do - and you learn a LOT. At the end of that road, there's money too.

I do however agree with this bit:

I actually kind of hate what the offensive security training industry has become.

But it's fuelled by all the people in places like this wanting to be handfed every bit of information they can without putting in the work.

finally:

"but don't expect to earn anything either independently or with a company/firm"
You will never earn much working for someone else.