Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

nobody's asking security researchers to work for free. the people asking security researchers to work are paying them for that work.

if you're doing un-asked-for work, you can't expect to get paid



I agree. But there are advantages to be gained beyond mere payment. Assuming the work is somewhat more that just "I fed your name into ssllabs")

Say you find a genuine issue. You can document it and send it to them. You might suggest an appropriate amount, but you've given them something to evaluate. Chances are you get nothing, but there is still other value in the exercise.

You can also add this to your portfolio. Once you have a few of these apply for jobs at security firms. They can judge your skill level to see if you're worth adding to the team.

You can also determine if this is a whole class of problem. Publishing the issue (without naming the company involved) raises your profile. You can leverage that profile into paid work down the road.

Of course you should understand all this before you "do the work" in the first place. If you're gonna do random drive-by work you should understand your goals. Given that the parent did not disclose, presumably there was some other motivation in play.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: