As a company founder, I am often asked to share the origin story, the singular event that inspired me to change jobs, invite risk, and take action. Like many revelations, this one stems from a most motivating emotion - anger.
Have you ever been to the RSA Conference? The annual event is the cybersecurity industry’s sales and marketing Super Bowl, and the lengths companies go to get attention stretches further each passing year. It had already been a long day, dodging every possible guerilla marketing stunt imaginable, walking the streets of San Francisco. I evaded drones, laser beams, LED screens on every surface you can think of, carnival barkers, food fights, and big-name pop star concerts. By this point I needed a rest before taking in more noise. Found a seat at a hotel lobby bar, hoping for a moment of relative silence. And that’s when it happened.
You couldn’t avoid them. Two sales bros dressed in custom alligator vests and boots made from gophers, bro’ing it up, toasting their recent conquests, as if returning fresh from a hunt. One boasts to the other “I just made my quota! Six figure commission check on a seven figure software deal!”
If you know me, then you know I am all for the success of others. I love it when people score big wins; they work hard for them. But this exchange didn’t sit right with me. I’ve been working cybersecurity operations for more than two decades, and I’ve seen how adversaries keep winning. Defenders can’t keep up with the vulnerabilities in our systems, let alone the tools developed to exploit them. And as these dudes kept talking it became increasingly obvious that neither of these two could even turn on a computer, let alone understand the technical measures of what they were selling.
I thought of the RSA exhibit hall floor, and the $3 trillion cybersecurity marketplace that exists today. It’s made up of companies with some of the highest valuations on planet Earth, who hire handsomely paid, phenomenally talented engineers to build product and run it through rigorous quality assurance release processes. This of course is followed up with a multimillion dollar marketing campaign convincing everyone the new product is bulletproof. Sales reps emerge, fancy collateral and steak dinner budget in hand, with compliance and audit teams not too far behind. And so it goes, everyone cashing a check along the way.
We forget. This entire industry – every single penny in the $3T marketplace — exists because of the vulnerability research community. If you are reading this, very likely your job would not exist without these unsung heroes.
All of it. Built on the backs of that one kid who decides not to believe the hype. The small team that says “we’re going to take this apart and see how it works”, doing research for the love of curiosity. They find a flaw, and if this knowledge ever made its way into the wrong hands, the impact could be catastrophic. Systems taken down, information stolen, data tampered with.
But when the corporates making the most profit gather at forums like RSA, researchers are nowhere to be found. They are left out. In an ecosystem where seemingly everyone is making copious amounts of money, vulnerability researchers are disproportionately underrepresented, not able to participate in the market commensurate with the impact they bring.
I love sales reps, I do! They possess a skill I do not have, a skill I appreciate. But seriously. Researchers get mere applause when presenting at a tech conference while the homies roll in seven figures worth of “cure”.
Right now, for those who want to partake in commercial pursuits for their efforts, researchers have limited options. The primary avenues are to sell to governments or criminals, and to many researchers, both pose a moral hazard. Corporate VDP gives the big guys all the leverage. Long negotiations and complex processes put brand protection over information-sharing, creating bureaucracy that actively turns off some who simply want to help. I can’t think of any other industry where someone does at-risk work, completes the project, supplies the work product, and only then negotiates the compensation. And let’s not forget how VDP can keep researchers from being able to talk up their wins. It wasn’t all that long ago a hacker would disclose a bug and use the publicity to launch a pentest company (or whatever). Hard to do that now when one is gagged in NDAs and legal wrangling. Meanwhile, attackers are able to thrive on secrecy by offering hassle-free payments for zero day exploits that fuel their profitable criminal enterprises.
And what if nothing changes? Researchers monetize their works in shady underground markets, allowing attackers to maintain their perpetual and unfair advantage. The truth is that many researchers don't want to operate in these spaces, but today their work is misunderstood, and it is pushing them into the arms of attackers.
It is time for an alternative approach to emerge, a pathway that fairly compensates researchers for the outsized impact they have on the market. A way that most quickly provides exploit data to the defensive community. Something that upsets the monopoly attackers currently have to this data, disrupting their easy pathway to the critical tooling they require to commit crime.
Making this work doesn’t require trillions. Researchers don’t need alligator vests, but they do need to be able to participate in an ethical, safe, and transparent marketplace, and they need to be in control of their intellectual property. They need to know who they’re selling to, they need to be allowed to set their own terms, and they need to be able to walk away.
It is time to do more than merely celebrate researchers with platitudes and “atta boys”. The best way to truly acknowledge this work is to create a world that allows the free market to provide fair compensation for their impacts.
When we do this right, we might just create a world where true technological ingenuity becomes the currency to keep us safe, rather than slick guerilla marketing stunts.
So what can you do? Join us and see what comes next.
