The High of the Hunt

It started with a debugger and a hunch. When you're deep into security research, there's a specific kind of adrenaline that hits when you realize you've found a way to make a system do something it wasn't supposed to do.

Recently, my research led me to discover two vulnerabilities in NVIDIA software:

  • CVE-2025–33245: A flaw I found through rigorous testing and low-level analysis.
  • CVE-2025–23312: A collaboration with the talented folks at Zhuque Lab (Tencent).

Seeing my name in the NVIDIA February 2026 Security Bulletin felt like a milestone. I wasn't just "writing code" anymore; I was contributing to the safety of millions of users. In that moment, I thought: "If I can find bugs in software written by world-class engineers, landing a job should be a breeze, right?"

The Reality Check

The irony is palpable. One day, you're getting officially credited by a tech giant for solving a security risk. The next day, you're receiving an automated rejection letter from a mid-sized company because you "don't have enough years of commercial experience with [insert random framework]."

I've spent months applying for Software Engineering and Verification roles. I've reached out to industry leaders like Google, Siemens, and even NVIDIA themselves. But I noticed a disturbing trend in the 2026 job market: The "CVE Paradox."

The CVE Paradox

Companies love to talk about "Security-First" mindsets and "Top Talent." But the recruitment machines they've built are often blind to unconventional proof of skill.

  • Proof of Skill vs. HR Filters: A CVE is a verified, peer-reviewed proof of competence. Yet, it often carries less weight than a specific keyword on a resume.
  • The Overqualification Fear: There's a strange vibe where, if you show too much initiative in niche areas like kernel-level patches or complex security research, you're seen as a flight risk or someone who won't be "happy" doing standard product work.

Why We Should Talk About This

I'm writing this not to complain, but to highlight a gap in how we evaluate engineers. If a developer spends their free time refactoring legacy engines, contributing to the Linux kernel, or hunting zero-days in global software, they are showing a level of dedication that no "5 years of experience" requirement can capture.

To my fellow researchers: Don't let the rejections devalue your findings. A CVE is a permanent mark on the industry; a rejection is just a temporary glitch in a broken system.