The High of the Hunt
It started with a debugger and a hunch. When you’re deep into security research, there’s a specific kind of adrenaline that hits when you realize you’ve found a way to make a system do something it wasn’t supposed to do.
Recently, my research led me to discover two vulnerabilities in NVIDIA software:
CVE-2025–33245: A flaw I found through rigorous testing and low-level analysis.
CVE-2025–23312: A collaboration with the talented folks at Zhuque Lab (Tencent).
Seeing my name in the NVIDIA February 2026 Security Bulletin felt like a milestone. I wasn’t just “writing code” anymore; I was contributing to the safety of millions of users. In that moment, I thought: “If I can find bugs in software written by world-class engineers, landing a job should be a breeze, right?”
The Reality Check
The irony is palpable. One day, you’re getting officially credited by a tech giant for solving a security risk. The next day, you’re receiving an automated rejection letter from a mid-sized company because you “don’t have enough years of commercial experience.
I’ve spent months applying for Software Engineering and Verification roles. I’ve reached out to industry leaders like Google, Siemens, and even NVIDIA themselves. But I noticed a disturbing trend in the 2026 job market: The “CVE Paradox.”
The CVE Paradox
Companies love to talk about “Security-First” mindsets and “Top Talent.” But the recruitment machines they’ve built are often blind to unconventional proof of skill.
Proof of Skill vs. HR Filters: A CVE is a verified, peer-reviewed proof of competence. Yet, it often carries less weight than a specific keyword on a resume.
The Overqualification Fear: There’s a strange vibe where, if you show too much initiative in niche areas like kernel-level patches or complex security research, you’re seen as a flight risk or someone who won’t be “happy” doing standard product work.
Why We Should Talk About This
I’m writing this not to complain, but to highlight a gap in how we evaluate engineers. If a developer spends their free time refactoring legacy engines, contributing to the Linux kernel, or hunting zero-days in global software, they are showing a level of dedication that no “5 years of experience” requirement can capture.
To my fellow researchers: Don’t let the rejections devalue your findings. A CVE is a permanent mark on the industry; a rejection is just a temporary glitch in a broken system.