Would you mind answering some questions if you're familiar with the area (edit: hah, just noticed you posted to the OP to this whole thread.); What are some examples of firms that are involved in this work? Is it mostly a collection of smaller shops/individual contractors? After a cursory search, I seem to be seeing a lot of groups/labs comprised of relatively few people. Why are there so many references to high bill rates in these comments, is the pay especially notorious? That's something I haven't heard before.
> My office is in the same building as BitDefender. (...) They mostly hire their researchers straight out of college if they have high C proficiency
Also partially OT, just wanted to say that I was a sort of college-roommate with one of their present-day senior security researchers in the early 2000s and to this day I remember that person as one of the most code-obsessed persons I have ever met, and I say that in a good way.
He was looking at almost every program running on our room's computer (yes, we only had one computer in our room of 4 or 5, no laptops) as a thing to be "broken apart"/analyzed/made sense of, he had a state of mind and a way of looking at things when it came to computers that I've never met since then at any other computer programmers (I've mostly met desktop, backend and front-end programmers, I'm a data-obsessed person myself). I realized in the meantime that in order to enter this "computer security" field and especially in order to be good at it you need to have a different set of skills and especially a different way of looking at things compared to other computer programmers.
