How would you describe your role at RII?
I lead the vulnerability research (VR) team, which primarily means taking the roadblocks and issues away from engineers so they can focus on security research. It also means getting them the resources they need to be productive. For example, I created the original mentoring program, which every VR team member completes and is consistently expanded by teammates as we identify new skills needed on our programs.
Can you tell us about something you or your team accomplished that made you proud?
I’m most proud of moments when a teammate starts from a relatively blank slate (e.g., just pivoting into a VR career, or switching to a domain they have never seen before) and then is able to develop a capability within a short timeframe. We get to look at devices and technologies that most people will never get to see, collectively become experts, and then leverage that technology in completely unintended ways. It’s a kind of excitement that never gets old for me. Though we don’t often get to share what we’ve done, we quietly know the impact it has on global security.
How does someone become a vulnerability researcher?
It often starts from a foundation of computer science or computer engineering, but the irreplaceable characteristic is a passion for understanding how things work internally and creatively finding ways to violate assumptions. With those pieces in hand, there are tons of free and self-directed learning resources online that a curious engineer can find to learn all the vulnerability research specific stuff. This almost always leads to Capture the Flag (CTF) competitions, which are a very good training ground (check CTFTime.org; others like HackTheBox or TryHackMe are cool, but generally emphasize a different skill set than we need).