I didn’t know compiler farms were a thing, but it makes perfect sense.

During university, our computer security class involved finding exploits in Firefox. It took 8 hours to compile on our average student grade compute. There were probably faster incremental ways to build, but navigating the Firefox open source code base was hard to entry point as a student. Effectively, most people got to compile Firefox a few times, but no one went further than making any code changes or discoveries. Navigating the Firefox build and tool chain is probably an undergrad course in and of itself, much less make any meaningful merge request or finding a vulnerability.

Overall, horribly designed curriculum. The expectation was for undergrads to find a zero day in Firefox. The professor was a researcher from Microsoft, but didn’t seem like he had realistic expectations for undergrads. Maybe they were throwing darts, hoping one student finds an novel exploit, and they can be cited. In the end, no student found an exploit or made any code changes. I was the only who found a DoS code payload for Firefox, but it was neither a zero day (poking around a known less developed API) nor high risk. It merely crashed Firefox on any webpage which contained this 2 lines of JavaScript. In the end, I got the lowest grade in the class because the professor changed the rubric after no one else found anything. Finding this exploit went from 80% of the grade to 5%, and participation credit went from 10% to 70%.