Beyond the CVE: What I Learned While Hunting Bugs and Jobs Simultaneously

medium.com · RuslanSemchenko · 10 hours ago · research
quality 7/10 · good
0 net
Tags
bug-hunting career
Beyond the CVE: What I Learned While Hunting Bugs and Jobs Simultaneously | by RuslanSemchenko - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Beyond the CVE: What I Learned While Hunting Bugs and Jobs Simultaneously The High of the Hunt RuslanSemchenko Follow ~2 min read · April 4, 2026 (Updated: April 4, 2026) · Free: Yes The High of the Hunt It started with a debugger and a hunch. When you're deep into security research, there's a specific kind of adrenaline that hits when you realize you've found a way to make a system do something it wasn't supposed to do. Recently, my research led me to discover two vulnerabilities in NVIDIA software: CVE-2025–33245 : A flaw I found through rigorous testing and low-level analysis. CVE-2025–23312 : A collaboration with the talented folks at Zhuque Lab (Tencent). Seeing my name in the NVIDIA February 2026 Security Bulletin felt like a milestone. I wasn't just "writing code" anymore; I was contributing to the safety of millions of users. In that moment, I thought: "If I can find bugs in software written by world-class engineers, landing a job should be a breeze, right?" The Reality Check The irony is palpable. One day, you're getting officially credited by a tech giant for solving a security risk. The next day, you're receiving an automated rejection letter from a mid-sized company because you "don't have enough years of commercial experience with [insert random framework]." I've spent months applying for Software Engineering and Verification roles. I've reached out to industry leaders like Google, Siemens, and even NVIDIA themselves. But I noticed a disturbing trend in the 2026 job market: The "CVE Paradox." The CVE Paradox Companies love to talk about "Security-First" mindsets and "Top Talent." But the recruitment machines they've built are often blind to unconventional proof of skill. Proof of Skill vs. HR Filters: A CVE is a verified, peer-reviewed proof of competence. Yet, it often carries less weight than a specific keyword on a resume. The Overqualification Fear: There's a strange vibe where, if you show too much initiative in niche areas like kernel-level patches or complex security research, you're seen as a flight risk or someone who won't be "happy" doing standard product work. Why We Should Talk About This I'm writing this not to complain, but to highlight a gap in how we evaluate engineers. If a developer spends their free time refactoring legacy engines, contributing to the Linux kernel, or hunting zero-days in global software, they are showing a level of dedication that no "5 years of experience" requirement can capture. To my fellow researchers: Don't let the rejections devalue your findings. A CVE is a permanent mark on the industry; a rejection is just a temporary glitch in a broken system. #cve #programming #nvidia #bug-bounty #industry Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories