I was recently invited to speak at a Datatribe innovation breakfast. Fireside chat style. Eventually the moderator, Leo, opened up questions to the audience.
One person said he thought what we are doing is extortion and asked for comment. In the moment, admittedly, I’m not sure I gave a great response. I think I was kind of shell shocked.
We cannot, in 2025, be working backwards, returning to the days where researchers are viewed as criminals, somehow holding all the cards and shaking down the C-suite. There has never been a basis in reality for this.
I find the argument appalling, and in bad faith, that vulnerability researchers are extortive.
When it comes to technology, from a security perspective, there is a massive gap between what you think you are buying and what you are actually buying.
This is why the cybersecurity industry exists. You may not like that your purchases have flaws, but they do, and to rectify those flaws, we collectively spend trillions of dollars on 3rd party goods and services to make up for that gap.
They did not design the product. They did not build the product. They acquire and utilize the product, and do so with such genius and creativity that they can eventually compel said product to enter an operating state unintended by the manufacturer.
Vulnerability researchers do not create risk. They do not inject risk into an otherwise perfect product. They simply discover already-existing risk, and document their findings, often in the form of a writeup and proof of concept code. And these documents have real monetary value.
So let’s talk about this like an ordinary business discussion, because that’s what this is and what it should be.
The researcher has intellectual property (IP) to sell, and a multitude of buyers might be interested in transacting for this IP.
The buyer comes to the table with a corporate-vetted IP Transfer Agreement, non-disclosure language, myriad reps & warranties, severability, cascading clauses covering conflicts and disputes, milestones, and deadlines. All presented to the seller by a specialist - a contracts professional, perhaps even from a dedicated 3rd party firm.
And these well-armed corporates have the gall to say that “Dave” (See below, for an unrelated Dave) sitting on the other side of the negotiating table, often alone, that he is committing extortion?
Be better. Dave is not going to shake down “Big VDP”. In fact the opposite. The deck is stacked against Dave. The buyers, with their “just sign it, don’t read it, it’s all boiler plate, take it or leave it” is precisely why Dave NEEDS representation. And that’s why Desired Effect exists.
Two parties are entering into business discussions, not a shakedown. Bug Bounty programs represent buyer (aka vendor) brand interests. That’s fine! No one says Bug Bounty is committing extortion? We all know they are representing the interests of their clients. Desired Effect represents seller (aka vuln researcher) interests. Researchers also need representation at the negotiating table. Extortionary? Grow up.
