None of you are going to believe me that this massive increase in defensive market bug bounties is BAD for security until some men say it aren’t you?
Wait, men did say it with me.
Men from Harvard & MIT.
We said it in 2014.
This accelerates perverse incentives & decimates hiring. https://twitter.com/iblametom/status/1197560642582073344

Ok, can’t say we didn’t warn you.
Enjoy that hiring pipeline drying out as you place huge upsides on staying OUT of working for tech companies to help PREVENT these security holes in the first place.
You’ll collect a few good press stories. Probably also a few exploits
THEN WHAT?

Kids will reminisce:
How did you make $1.5M?
Well I interned with Apple/Google, then waited the obligatory 6 months or a year or whatever, then MADE $1.5M when I developed an exploit that I knew worked.
Or you know, I didn’t wait, colluded with someone outside & we split the .

But you know what, there are some great zombie movies on this flight and that’s where I’ll be hanging out, along with these undead gotta shoot em in the head busted notions that defense can possibly ever win in a price war with the offense market.
Come with me if you want to live

Because Twitter hides replies. Curious about where I’m getting this? The last decade of my work & direct observation of this phenomenon in action.
These defense market prices are short sighted.
You can’t compete on price, it’s like winning a land war in Asia. https://twitter.com/k8em0/status/1198225073791889408