Nobody tells you about the waiting.

The popular image of security research — to the extent that anyone outside the field has an image of it — is the moment of discovery. The late night, the screen, the sudden realisation that something doesn't add up. That part is real, and it is genuinely exciting. But the discovery is maybe ten percent of the process. The other ninety is what happens after, and most of it is just: waiting to find out whether anyone cares.

I do this work independently, pro bono. There's no employer, no team, no budget. The research I publish and the findings I disclose are done on my own time, with my own equipment, out of genuine interest in how systems are built and where they fail. I've disclosed findings to software vendors and operating system developers. Some of those disclosures have been accepted, acknowledged, and fixed. Some have been met with silence.

The process, when it works properly, goes something like this. You find something. You verify it — which is harder than it sounds, because source code and running binaries can diverge, and what looks like a bug in the code isn't always a bug in the thing people are actually running. You write it up: the affected component, the nature of the issue, a clear account of what you found and how. You send it to the appropriate contact — a bugs mailing list, a security team, a CNA. And then you wait.

The write-up is the bit I find most demanding, more so than the research itself. A disclosure has to do several things at once. It has to be technically precise enough that someone who knows the codebase can immediately understand what you're pointing at. It has to be honest about what you've verified and what you haven't. It has to be written with enough care that it reads as a good-faith contribution rather than a threat. And it has to be short enough that a busy developer will actually read it rather than set it aside for later, which in some contexts means never.

Getting that balance right takes longer than people expect. I've sent disclosures that I rewrote three or four times before I was confident enough in the framing to press send. The technical content might be finished in an afternoon; the document itself can take days.

The wait after sending has a particular texture. You're holding something that you know is real — you've verified it, you've documented it, it exists — and you have no idea whether the people on the other end will agree, or care, or even read it. The thirty-day rule I work to is this: if there's no response in thirty days, I publish. That's not punitive. It's just a necessary discipline, because the alternative — waiting indefinitely, holding findings that might matter to users while a vendor decides whether to engage — is not a reasonable position. The clock is there to create structure, not pressure.

When a finding is accepted and fixed, there's a specific satisfaction that I find difficult to describe precisely. It's not triumph — the thing was always real, the acceptance doesn't change what you found. It's more like: the conversation completed. Someone read what you wrote, understood it, and did something about it. In a world where most communication disappears without trace, that completeness feels like something.

When a finding is ignored — no acknowledgement, no fix, no response at all — the feeling is different. Duller. There's a faint sense of having shouted into a room and heard nothing back. You publish anyway, because the point of disclosure is not acknowledgement; it's that the information reaches the people who need it. But it's harder to feel that you've contributed something when the conversation only goes one way.

I've had both. The accepted ones are in the public record. The ignored ones are published too. The work is the same either way. The reception is out of your hands, which is something you learn to be calm about, or at least to perform calm about, which might be the same thing eventually.

What keeps me doing it is simpler than any of this: it's interesting. Finding out how things are actually built, where the assumptions were made, where the edges weren't quite as solid as they looked — that's genuinely interesting work. The disclosure is just the last step. The work is the whole of it.