Last year there was a meme going around in the German hacking scene when Google received Pwnie’s “lamest vendor award” for closing 11 zero-days. The reason for that award is that western intelligence agencies abused these exploits for “counterterrorism operations”, so Google essentially shut down a whole spying op.
The joke about it was that closing security holes is never “lame”, and that the American hacking scene consists to a large extent of FBI, NSA or CIA, which explains the award.
To quote Felix von Leitner [1]: “They can say “Ex-“ a hundred times, but you won't get rid of the stench by declaring the termination of your employment.”
The quote you're replying to is from one (admittedly, from several years ago). It does seem to be getting rarer, but consider that the ones still active might not want to make themselves publicly known.
Yes, I have a friend who does this for a living. The trick is apparently to get a high enough rating that companies give you software pre-release, and you can vacuum up the low hanging fruit before everyone else.
He claims legacy car companies are bad at security and pay a lot.
There definitely still is... But I think after circa 2012 when people found out the Anonymous movement was just a cia/fbi Honeypot, no grass roots hacker groups publicly advertise.
Due to the nature of it being a label anyone can take on it can be used by anyone, including state actors, just to rack on a layer of extra plausible deniably when wanted. That doesn't mean the organization itself was ever or always compromised, just that the label could be used by pretty much anyone.
