Saw a similar post on reddit but it didn't have many responses. I'm also very interested in the subject.<p>Considering one already has experience in security. E.g. Bachelors/Masters level courses, practical bug bounties, CTF and can use metasploit. These all teach the users how to use tools, or to find pre-existing/known attacks and vulnerabilities.<p>How does one jump from this to finding new/undiscovered vulnerabilities in applications, operating systems that could be made into actual CVEs?<p>Does anyone have experience in this?<p>For example, how do those in Google Project Zero perform such finds?<p>Thanks.
There is no magic. You have to try things. There are two things that worked for me personally:<p>* Study the technology in order to find out potential oversights and design problems.
* Fuzz test it to find problems by brute force.<p>Keep in mind that the more you practice the better you become at it. Your intuition will start to help you filter things that are worth exploring and as such get more fruitful results faster. While you can read about vulnerability research techniques, your intuition will only grow through practice and experience.<p>Also the more bugs you discover the more confident you become which also helps in the long run because in many situations you will not know what you are doing but you believe strongly that you will find something.<p>Also, keep in mind that while security researcher are smart people, what they do is not that genius at the end of the day. When you are reading someones awesome research you may come to the conclusion that the work had the same logical development as outlined in the paper - a stroke of a genius. It does not work quite like that in reality. It only makes sense at the end. It does not make that much sense in the process. You just fake it until you make it. :)<p>So yah, the way you make the jump from using tools to finding vulnerabilities yourself is by making that jump. Pick a small target area of research first and grow from there.