Wednesday, March 5, 2013 — Detroit, Michigan
He works for thirty-one hours straight.
Not because he forces himself to — he's pulled. The knowledge in his head is not passive. It is active, eager, structured with an internal logic that seems to want to be expressed in code. When he tries to take a break around hour six, he sits on his couch, closes his eyes, and finds that his mind simply continues working, tracing logic trees, optimizing scan sequence protocols, restructuring the memory allocation for the behavioral heuristics engine. Sleep feels inaccessible. Not because he's caffeinated or anxious — he's remarkably calm, actually — but because some threshold has been crossed in his brain and the machinery is running.
He eats standing at the kitchen counter. He doesn't check his phone.
By Thursday morning, he has a working prototype.
It doesn't look like much. Sentinel-Prime, in the form Ethan has built it, is a command-line application — no interface, no dashboard, no graphic design. Just a terminal prompt and a configuration file. Any senior security engineer at any major firm who glanced at the repo would recognize the category of tool and be unimpressed before they understood what they were looking at.
But what the tool does — that is a different matter.
Ethan runs it, for the first time, against his own laptop.
The scan takes four minutes and thirty-seven seconds. When it completes, the output report is eighty-three pages long. Not because the laptop has eighty-three pages' worth of vulnerabilities — it has a modest handful — but because Sentinel-Prime doesn't merely list what it finds. It narrates. For each vulnerability, the report describes the attack vector in plain language, constructs a hypothetical exploit chain showing exactly how a malicious actor would use the weakness, and then lays out a remediation path with estimated implementation time and priority classification.
What impresses Ethan most isn't the vulnerability detection. It's the reasoning. The system has identified three issues he genuinely didn't know about. One of them is a misconfiguration in his personal VPN client that creates a timing side-channel. He hadn't known about it. Sentinel-Prime found it, named it, and suggested the fix before he even finished reading the header.
He sits back and looks at the report for a long time.
This, he thinks, is real.
He spends the next four days building what he calls the operational layer — the scaffolding that will allow Sentinel-Prime to run against external networks within legal scope. Responsible disclosure is not optional. It is the architecture of everything he intends to do. If the tool is going to be valuable, it has to be trusted. If it's going to be trusted, he has to be the person who shows up with findings and asks permission, not the person who shows up with findings and demands payment under duress.
He studies public bug bounty programs. He reads disclosure policies. He reads court cases — United States v. Auernheimer, the Aaron Swartz case, the cases that had ruined careers and ended lives. He reads them not with fear but with the focused attention of a man calibrating his instrument.
He also thinks about money.
By Saturday, his checking account is at $261. He has rent due in three weeks. The freelance listings he'd bookmarked before losing his job are still there — $15/hour for network monitoring, $20/hour for IT support. He could go that route. He has gone that route.
Or.
He opens the Protocol Zero interface for the first time since the acquisition. The catalog is there, the same clean categories. His credit balance reads zero. He types a question into the terminal:
How do I earn more credits?
> CREDITS ARE EARNED THROUGH THE SUCCESSFUL REAL-WORLD DEPLOYMENT OF ACQUIRED KNOWLEDGE. THE SYSTEM EVALUATES IMPACT, NOVELTY, AND SCALE. A SIGNIFICANT RESPONSIBLE DISCLOSURE TO A MAJOR TECHNOLOGY COMPANY WOULD GENERATE SUBSTANTIAL CREDIT RETURNS.
> THE SYSTEM DOES NOT REWARD INACTION.
He reads that last line twice. Then he nods slowly, the way you nod when someone says the thing you already knew but needed to hear aloud.
He opens a browser. He navigates to Google's security documentation page. He finds, buried in a corporate help article, a single paragraph about their Vulnerability Reward Program. The maximum payout listed is $20,000.
He looks at that number for a moment.
Then he closes the browser and begins planning the scope of what he is going to do to Google's network perimeter.
Responsibly. Legally. With signed permission and documented methodology every step of the way.
But comprehensively. The way a surgeon is comprehensive — not because they want to cause damage, but because they understand that finding everything is the only honest standard.
He sends the first email on a Sunday evening. It is three paragraphs long. It explains who he is, what Sentinel-Prime is capable of in broad terms, what he is proposing, and what his professional background is. He does not oversell. He does not promise specific numbers. He simply says: I believe I can find things in your systems that your current tooling cannot. I'd like the opportunity to demonstrate this under a properly scoped authorization agreement.
He sends it to the Google security team's public disclosure address.
He sends a second email, identical, to the contact listed on their bug bounty page.
Then he closes his laptop, puts on his coat, and goes for a walk through the gray Detroit streets because he needs to feel air on his face and ground under his feet and to be reminded that the world is very large and has, thus far, continued to exist without him.
Three days pass.
On Wednesday, he gets a response.
The email comes from a person named Christine Mao, Senior Security Engineer, Google Infrastructure Security. It is polite and formal and skeptical in the careful way that someone who has seen too many overpromised security pitches becomes skeptical — the skepticism is in the phrasing, in what she doesn't say as much as what she does.
She asks two questions.
Can you provide a sample methodology report? And: What tools are you using?
Ethan writes back within twenty minutes. For the methodology report, he has anticipated this — he has prepared a sanitized walkthrough of Sentinel-Prime's scan of his own system, redacted to demonstrate the tool's output structure without revealing anything sensitive. He attaches it. For the question about tools, he writes three sentences that he has thought about very carefully: The primary tool is a custom system I've developed. I'm not able to share the source code at this stage, but I'm happy to discuss methodology in a call. The results will speak for themselves.
He hits send. He makes coffee. He sits at his kitchen table and watches the coffee steam until it stops.
Christine Mao writes back four hours later.
Call scheduled for Friday at 2 PM Pacific. I'll be joined by our team lead, Marcus Bell.
Ethan reads the email. He nods once. He opens his laptop and begins preparing for the most important conversation of his life.