Okay, I'm obviously missing some important details not being a security expert. Clear a couple things up for me.
1. Do security researchers spend their efforts actively searching for one particular bug using one particular method, or do they try a lot of different things and expect to find a lot of different bugs of varying levels of importance?
2. Do companies looking at their own code for bugs only concern themselves with bugs that would be worth selling on the black market, or is every bug a concern for them?
3. Bit of an opinion question, how much would you consider spending to find a bug to sell for $100k considering the potential failure of the endeavor?
4. Do you think bug bounties are the primary motivation for white hats to research bugs, and if not what effect do they have?

I don't think Mr. Haselton is qualified to answer these.

1: A little of both. I can only speak for myself, but I tend to look at a particular piece of hardware or software, and poke it until I find something interesting. Now interesting doesn't have to be a vulnerability, but it engages the brain. Could there be an exploit in here? And if not, could there be an exploit in other products that use a fairly similar design for something?
I may start looking at product A, and find X interesting, but end up finding a defect Y in product B.

2: Both. You sell not only a product, but a perception that you care about your customers. Besides, most companies have people in decision who wouldn't be able to make an educated decision on what type it was, and underlings whose opinion is tainted because they have a real need to cover their own ass. And the companies certainly won't take the word of a hacker as to what the impact is, so they'll usually err on the side of caution, i.e. treat it seriously.
Note that treating it seriously might mean it will take quite a long time to fix, because taking code seriously also means extensive tests that fixes don't break anything else. A company that has a very fast turnover for security fixes is one that I wouldn't trust much - it's a prime candidate for looking for more problems.

3: You start with a premise that the hunt is to get a reward. I believe that's almost always a false premise.

4: No, I think the primary motivation is curiosity. Unless that;s your primary driver, you will likely not be good at it.
A bounty might make a hacker go to the company after they've discovered the bug, instead of just sitting on it.
Which I think is what mostly happens. You know about a security flaw, but don't want to go to the company given the high risk of being sued in best shoot the messenger style. And you don't want to turn blackhat either, neither for criminals nor governments. But, I repeat myself. And if you're not a kid looking for notoriety, chances are you won't tell anyone.
I am quite convinced there are thousands of unreported vulnerabilities. Bounties might help with that.

I disagree: the Model S was the right car to do first. All electric cars before it were simply crap. Worthless, horrible rides that only a hippie would drive. Yech. The Tesla is fine for many uses, and the main thing is: it's overpriced in a market where it's normal to be overpriced; it's overweight in a market where it's fine to be overweight (the S class was 3 tons not that long ago). It's a nice car, nicer than a Camry, where instead of the refinement of a luxury car for the price difference, you get the novelty of an electric car. And at that price range, you probably also have a gas car (or if not, you can rent one as needed).

Electric car tech simply isn't ready yet for low-margin vehicles. High margin cars, where intangible value is a big part of price, they work fine. It makes perfect sense to me to start there, and gradually come downmarket as they get the hang of it.

Also, most US families have 2+ cars, so one short range car isn't a problem I don't, so I'm skipping the Model S for now, but I'd love a similar car with a 50 HP gas generator under the hood. It doesn't need to provide enough power to run on, just enough to recharge given a few hours in the parking lot. None of this fancy, sure-to-break, parallel hybrid nonsense, but the great "fixie" Tesla drivetrain with a purely separate generator so I can recharge using gasoline as needed.

Any language except C has classes that prevent buffer overruns. Heck, I did assembly programming for 5 years, and the natural way to move data around avoided buffer overruns (mainframe assembly). The tools are right there, people just don't pick them up.

It's not about the language, and it's certainly not about "don't screw up", it's about a coding style that's not amenable to the mistake, and that's practical is most any language except C, really.

(Really, C and Managed aren't the only choices out there.)

I hope in the Apple tradition it is $666, and when you lose it like you lost your other ultra-losable hardware you make a Frowine face so hard it freezes that way.

By providing one, I would refute myself. :p

I still have a working Osborn 1 and use almost every day. That's over three decades of service. My CP/M 2.2 disks are toast, so I've replaced the OS with one of my own design for use in my hobby home automation projects. The 300 Baud modem died so I use its RS-232 (serial) port with an IR LED and resistor across DTR to do IO with my home theatre system. The IEEE-488 (parallel) port is used for multiple sensor IOs and a sanitized COM link to my Linux server network which can route IR messages around the rest of the home.

It's more of an "antique" retro conversation piece, but I'm a practical guy and find collectables such as this 1st widespread "portable" PC to be far more interesting when in use; Rather than collecting dust and only being the subject of tech war storries others can witness the power of its simplicity and appreciate the workhorse in action. When I press the button on my remote or smart-phone app visitors (esp. kids) heads are turned by the 5 1/4 inch drive access sounds as the proper code translation table is loaded into the 64KB RAM and colored debugging LEDs on its exposed bread boards blink while status messages flicker to life scrolling up the 54x24 character green monochrome display, then lights dim and a projector screen lowers, and various set-top boxes have their inputs configured. Kids will spend hours "watching TV" just changing the channels and active devices while actually paying attention to the old Osborne One doing its duty. I consider it sort of like an 80's version of steam-punk -- My take on "cyber-punk". Sometimes I'll show the older kids how to manually command systems by making and breaking circuits with a paperclip on the breadboard to do IO. The resulting stream of "how"s and "why"s is fully expected; This setup was socially engineered to lead hapless inquisitors away from the mind-numbing TV and out to tinker with the brain boosting electronics and robotics projects in the garage.

I have some replacement parts from its dead brothers and sisters, but it too will eventually bite the dust eventually and be replaced with other hardware. I really miss parallel ports. Even kids can do IO by hand on the old interface instead of running everything through a more complex serialization protocol; Building a USB interface just to get back bit-mapped parallel IO is just silly. Thus, old beige boxes and custom DOS programs are still my favourite for intro to software / hardware & robotics even more so than single board or embedded systems like Raspberry Pi or Arduino and its clunky expansion ports -- for want of a simple Parallel Interface... I mean, you can use a bit or byte pattern of a parallel interface as an "escape code" to signal a mode switch and with a few transistors you can have as many "expansion cards" to program as you want. When I'm teaching how stuff works, I don't want things like this abstracted away and hidden behind proprietary hardware and software interfaces.

Remember the Three R's: Reduce, Reuse and Recycle. Reusing old hardware should be attempted before recycling. Experiencing the magic blue smoke escaping from an old main board, ISA / PCI card, etc. is an important part of learning electronics projects. Having to redo their work teaches folks to be more careful even if the parts are otherwise "worthless junk". Making interesting and/or useful things out of a "Trash 80" is seen by youngsters more impressive than using purpose built devices designed to facilitate the project. If they make it past the Cyber-Junkyard Frankenstein stage Only Then do they move up to working on more expensive single board systems and full featured robotics systems, bypassing the Raspberry Pi and Arduino stage altogether (and foisting some of my old junk into other unsuspecting tinkerers' garages).

The Osborne 1 is great for operating your whole home AV gear. Bugfixing custom hardware and Z80 instructions exercises one's memory and maintains neuro-plasticity -- It can even cause kids to favor educational programming instead of that obnoxious crap on TV nowadays.

This is the problem at the heart of climate science. The key details for models are not published, and (despite being largely paid for by our money), not even available apparently under FOIA to "avoid competitive harm".

That sounds very much like commercial software development and very little like reproducible science, or even open source! WTF, guys? You wonder why so much of the public has a hard time taking climate science seriously? This shit is why.

Good science defeats skeptics through openness. "Look, here's the experiment, do it yourself if you don't trust me." Heck, even experiments on vastly expensive particle accelerators eventually become reproducible through cleverness or technological advance at other universities.

Openness, and beyond openness: the willingness to explain clearly, in detail, and in layman's terms led to the talk.origins FAQ, which takes seriously and answers seriously every common popular question and dispute about evolution, and likely led to the shift from old-school creationism to ID (which at least is progress). This is severely lacking in climate science.

The Mustang is a heck of a car these days, if you can get past the horrid cheap interior. I'd imagine it will do well.

The HP 2647 terminals we had in my high school were built like tanks. I'd bet they'd still work today.

-jcr

My Sony alarm clock has been my most robust piece of gear (I recently had to replace my Logitech gaming mouse, so that's off the list). The Sony clock is particularly ironic.

The Japanese use the phrase SOny timer for planned obsolescence, both in a general sense and a specific assertion that all Sony products have such a timer to kill the device one day after the warrantee is up (except the PS, because they need to sell the games). Funny that the clocks are the only Sony product without the "Sony timer".

Oh yeah?

It's not about how fast you patch, it's about how fast you can get patches to your customers. And for the OpenSSL flaw, there were devices where the patch process is "throw it away and buy a new one".

Anyhow, Microsoft is far and away the worlds leading expert at distributing security patches - no one really has more experience or such a well-tuned corporate ecosystem. MS pushed a critical security patch out to WU, and every major corporation knows just what to do, and understand the urgency, and has a well-travelled path for it. The more modern players are good at patching consumer endpoints, but haven't really addressed corporate customers.

Ask the former CEO of Mozilla how that worked out for him.

That's wrong in a couple of ways. What's legally required is that the board member put the shareholders interests above their own personal interests (fiduciary responsibility). But those interests are defined by the corporate charter, and to a large extent by the board itself. It's perfectly legal to create a publically traded corporation that sets social responsibility, or green blah blah blah, or some other such hippie nonsense above profit, and then that's what the board must pursue. You might struggle to get investors, or you might find a welcome market, but in any case it's allowed (and rarely happens).

More commonly, there's no requirement at all for the board to chase short term profit. That's where most the corporate infighting comes. Some corporations have firm 20 and 50 year growth plans, and sacrifice the short term for those plans, and sometimes those companies have a shareholder revolt because the owners lose patience and want everything monetized now. Sucks when that happens, but the downside of being a publically traded corporation is that you're ultimately controlled by your owners, and that can end up being anyone.