zlacker

I think it would be silly to do so. You're pulling down $20k+ contracts for a week's work. It's a pretty good gig and completely legal.

>>x0x0+(OP)
Why do you think it would be silly to take the job?

The second two sentences read like excellent reasons why you should take the job (even if they are just a repeat what I already said in different words).

I must have missed something.

>>random+O
I meant silly to use exploits find while performing a pentest for malicious purposes.

You get well paid and it's legal.

>>x0x0+t5
Then what do you need pen testers for? With an offer like that, any threats to your system will come work for you instead.

The reality is that you don't get paid well if the data is worthless. You only get paid well when the data is worth orders of magnitude more than what you're being offered. If you are inclined to break that law, that's a pretty nice carrot dangling there.

If you are so inclined, why wouldn't you take the job and report the not so crafty exploits to bring in the sweet, sweet paycheque and use the really juicy exploit to also go after the even sweeter data? It's a total win-win situation...

...unless you get caught, but if you are so inclined that's not exactly on your radar.

>>random+c6
My claim is that people tend not to do crime if there's a very well-paid alternative, and I think I have pretty good empirical backing on that one. Also, our data is probably not worth that much. We do pen testing so we don't get popped and leak our customers data, likely losing some of our customer base (even if it isn't worth much, not having it leaked is); because soc2 essentially demands it; and because smart customers care more about pentests done by good firms than soc2.

>>x0x0+HU1
Exactly. So what do you need pen testers for[1]? Just pay the 'bad guys' to go away.

[1] Okay, regulation, but the need for such regulation is still in question.