A difference between vulnerability research and exploit development is similar to hunting-gathering food and cooking it. Some people are mostly good at only one, but you need to be a little bit of an expert in both to perform it at all, mostly at exploitability evaluation stage.

OPSEC fails silently.

... But in reality, the path is more like moving along a manifold with unexpected curvature: what looks like a straight geodesic from afar is full of local twists, detours, and hidden folds when you’re actually walking it.

Move fast, dig deep, never spending more time than is needed. This is why this thing is so hard.

Yet again an outsider asked how we measure progress in day-to-day VR, and I failed to come up with anything sounding substantially better than "we're just vibing it bro".

On one hand, it's the typical defender vs. attacker symmetric difference; you only get sad when you're on the inside, defending. On the other hand, take some special, isolated field like memory corruption & feel the everlasting dread of your job dying due to a new mitigation set.

An important addendum from a conversation with chiefpie: n-days help training vulnerability intuition, so called spidey sense you develop it when guessing if the function is promising judging purely by its name, not actual code changes, like with the case study I provided.

To be a good researcher, you must also believe in yourself. Yes, people way smarter and experienced than you have looked at this code. But there is hope your look will be the one to find a crown jewel. It is possible only if you try.

And zero clicks are the most beautiful poems.

Mental resilience is what gets you through dark times of bug drought. Therr is no way around hardening of the heart.

How does advanced researcher differ from a beginner? Advanced researcher inevitably becomes a weird specialist in target area (compilers, browsers, kernels, servers) more than a "hacker". Experienced researcher is ontologically closer to target's developer than to VR beginner.