The driving motivation for almost all cybersecurity researchers is an insatiable curiosity - it's like an itch that must be scratched.
How that itch is scratched is the difference between different researchers.
Runa Sandvik describes herself as a 'situative researcher'.
That situative approach has remained with her in her subsequent role as a security researcher.
Beyond curiosity, Sandvik believes the researcher needs a degree of stubbornness.
She accepts the correlation of the terms 'hacker' and 'researcher', even to the extent that you have white hat and black hat hackers, and white hat and black hat researchers.
There is, of course, a further characteristic required of all researchers without benefit of a trust fund - the ability to make a living.
If a researcher's discovery is ignored by the bounty program, or if the reward is not considered to be representative of the true value, the researcher may be tempted to sell a discovered vulnerability or exploit on the open market.
A Russian researcher may see nothing unethical in selling a zero-day exploit to the Russian government, nor an American researcher in selling to an American or allied agency.
Runa Sandvik's preference for situative research lends itself to sharing.
At some point all researchers must share their work - either with the vendor concerned or the wider public.
This is when the researcher must choose between any of the variants of 'full disclosure' or 'responsible disclosure'.
Most white hat researchers prefer responsible disclosure; but few will condemn those who disagree.
The disclosure issue abuts the legal issue - something that all researchers need to consider since there are different legal rules in different jurisdictions.
In the U.S. there is no law prohibiting the fundamental process of research - reverse engineering - provided you are reversing a legally acquired product.
Today researchers are more likely to be considered a boon to cybersecurity than a threat to products.
SecurityWeek asked Sandvik what, among all her research and discoveries, had given her the greatest personal satisfaction.
Talking about the rifle research, that word 'fun' cropped up again, used by both Sandvik and her husband research partner.
We asked if 'fun' is an important part of her approach to research.
Apart from fun doing the research, there is also the sense of fulfillment in successfully concluding the research.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 03 Jan 2024 16:13:06 +0000