Research

Vulnerability researchers are often unfairly labeled as extortionists, but their work simply uncovers flaws that already exist. These discoveries hold real value and deserve to be treated as intellectual property in legitimate business negotiations. While vendors have entire teams to protect their interests, researchers are usually left unrepresented. Desired Effect was created to level the playing field and ensure fair negotiations for both sides.

Most defenders only learn about a vulnerability once it’s too late—after the damage is done. In this post, a 20+ year veteran of the exploitation space pulls back the curtain on the full lifecycle of a software vulnerability, from discovery and proof of concept through black-market transactions, weaponization, and eventual CVE disclosure. Along the way, you'll learn why the current system favors attackers, how researchers are often misunderstood, and why traditional “respond-after-breach” models are broken. This post introduces the mission of Desired Effect: to bridge the gap between discovery and defense—before exploitation can ever begin.