Cybersecurity researchers face real-life threats

They don't want to put their loved ones at risk
"because dad is a security researcher and attracts bad guys," he says.

They
-> minimize their digital footprint,
-> run background checks on every unknown person who approaches them through social media,
-> use post office boxes instead of addresses,
-> refrain from posting anything online that might link them to their families.

"A lot of these ransomware groups live with a sense of impunity,"
"As long as they don't leave Russia, there are literally no consequences for all the bad stuff they do. So, they can be bolder and brasher and have the cover of the Kremlin to protect them."

This kind of protection has
allowed gangs to do "some pretty vicious things" to security experts over the years

cybercriminals learned where security experts lived and gathered information about every family member. Then, they posted that information on underground forums, inviting other people within their community to target them.

Individuals working for nation-state actors also
-> target infosec professionals on LinkedIn, Twitter, Telegram, Keybase, Discord, email, or other channels,
-> sometimes claiming they want to offer consulting jobs or collaborate with them on vulnerability research.

1. Google's Threat Analysis Group found that
   -> North Korean hackers pretended to be
   -> cybersecurity bloggers and sent a Visual Studio Project to security experts
   "Within the Visual Studio Project would be…
   an additional DLL that would be executed through Visual Studio Build Events,
   The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains."

"If you are concerned that you are being targeted,
we recommend that you compartmentalize your research activities
-> using separate physical
-> or virtual machines
^ for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research,""

2. North Korean hackers also claimed to be recruiters at Samsung, sending PDFs detailing job opportunities with the actual purpose of installing a backdoor Trojan on researchers' computers

Often, bug hunters get intimidated by organizations threating to sue them

Make detailed reports
When writing the impact of vulnerability
-> start with technical risks
-> translate that to business risk
-> add who might be impacted
-> offer how they can soften the negative impact right now
-> then offer long-term solutions to bring down the risk to non-issue

Some security experts have to walk a fine line between protecting their families and publishing research under their name.

Securing home and offices