I personally think I'm paid very well but I know some countries tend to be more cheap on security analyst salaries for whatever reason.

Where I currently am based, I'd say you could live decently (if living with your significant other) on ~50K. I'm currently paid 90K and I'm on the "high-end" of the typical entry-level pay.

I will typically try and reach out in multiple ways to the company to initially let them know of my findings. I will search for a `.well-known/security.txt` or an official security team email. If I can't find anything, I'll try and reach out directly to people via their work email. I will then wait a couple of weeks and try to reach out once more but this time broadening my "scope" even more (sending emails to more people and repeating those I've sent initially).

If after a few weeks/months, I will try and reach out via public channels to the company (twitter, facebook, instagram).

I have yet to fail to reach out to a company (gladly) so I have thankfully never had to weigh the pros and cons of exposing a vulnerability publicly for the "greater good" of the community so I can't really say what I would do if all channel of communications failed.

Absolutely! Couldn't agree more. I was not aware that it's a common career path tho, cool to know!

Oh and I do create exploits but typically they are very specific to the use-case and wouldn't be very useful in the wild. I do however work on some internal projects that should be made open-source at some point but they are typically more recon centric.

I didn't have any when I applied for the job. I'm currently working on both my Sec+ and OSCP for compliance purposes :)

I have to start by stating that I do not work for a security company, I work as a pentester for a tech company.

The company which I'm working at is very active on preemptively detecting CVEs (with tools like Snyk for example) in our dependencies so Metasploit doesn't really fit the kind of pentests we typically. Most of our products are either built in-house or heavily scanned before being deployed. I do however use tools that are a little more focused on certain aspects to do my reconnaissance or to catch reverse shells when it comes to it like Burpsuite, Pwncat, Feroxbuster, etc..

In terms of findings CVEs, since I only do research on our own product, I don't really "find CVEs" which will get indexed into the CVE databases. I will typically find flaws that will get patched before reaching production or that will quickly get hot-fixed.

I have to say what I enjoy the most is the cliche "I'm in" feeling. It's usually very hard to find serious vulnerabilities in well designed product but once in a while you'll find a very unique or odd way of making something do something it's not supposed to and it's an insanely satisfying feeling :) I am also a staunch believer that what I'm doing is "for the greater good".

So my "entry path" was through customer support actually! I stumbled on an job ad. I was searching specifically for support jobs as my "plan" was to get in support. By starting in support, it enabled me to get a better knowledge of how things worked inside the company so that I could lay out my next steps. As you may assume, tech companies work very differently than other traditional jobs!After about a year of being in support i managed to gain enough knowledge about our product to fully understand it. Came a point where the company's security department hosted a CTF and I knew this was my time to shine :) I ended up winning it and that's how I got my foot in the door so to speak. The security manager now knew my name a and that I had some skills so that's when I started pushing more into showing interest in that field. After a few weeks of getting to know the security team better and showing active interest into security (even from within the security department), I applied internally and got the job!!