Software Security and Exploits
I'm not going to write allot bout software exploits because I could spend every minute for the rest of my life researching them all.
I will point out some of the Exploits that effect many people and offer up a few solutions.
The IT community is a serious self-supporting community. In that for every new issue found or discovered a new career path is launched.
Software Exploits have been around since IBM called them Gremlins or Viruses.
The New Career Announcement is for: "Penetration Testing, Exploiters and.." well it's going to be interesting what they come up with to describe a Paid Hacker.
For all computer science majors this will be a very popular industry but it will not pay what you might be thinking. Do your research about researchers that found software issues. It's not a career path I'd take without a very good business contract and a lawyer in the wing to protect you.
Until the industry sees value in our Exploit researchers it will be a select few businesses working with only businesses. Don't think by finding an exploit it's going to land you a job. Research shows a different ending.
With that said, practice makes perfect so when that software developer does ask for a PenT you and demonstrate your skills. I say demonstrate because listing your unauthorized PenT on your resume might be taking as a confession of some sort.
Bottom line is when you find something report it to the vendor of the software. Explain how you found it and ask them if they would like for you to research more. Don't send a "It will cost you." message. In the long run your resume will be with more than any one time payment for a single Exploit discovery.
If that fails follow the path that many use and report to a group that is respected in the industry. You are unknown and as a PenT you're nothing more than a Hack to them. It's hard to take knowing the hours you spent researching. But you'll be recognized for your efforts and your efforts will be rewarded in time. But not by doing time!
In this section I'll post the reporting processes and give you a clear understanding of the time frame you need to wait.
Be tolerant young (or old) grasshopper, the industry is ignorant of your ways. Let time be your resource allowing you discover new ways of showing proof of concept.