Sam Curry, an 18-year-old student in Lincoln, Neb., has been obsessed with computers from a young age, but his hobby wasn’t always a constructive one.
As a sophomore in high school, he got in trouble for hacking into his school’s computers. He found a way into the system that allowed him to pose as an administrator. He could have changed student grades or done real damage, he said, but just wanted to enter the network as a prank. School administrators were not amused, and suspended him for two weeks.
The next time he found a security vulnerability, rather than exploiting it, he reported it to the high school administration. They gave him a $50 gift card to fast-food restaurant Subway as a reward. “That is the first time I realized there is a positive outlet for this work, and maybe I could get paid for it,” he said. He turned his coding skills into “white-hat” hacking. That is, hacking systems to protect companies, not expose them.
Since then, Curry has made more than $100,000 from legally hacking high-profile institutions including the U.S. Department of Defense, video game company Valve, and Yahoo. He is one of a growing number of hackers cashing in on “bug bounties” — monetary rewards that organizations pay hackers to expose vulnerabilities in their systems.
This kind of crowdsourced security testing is “rapidly approaching critical mass” according to a June 2018 report from industry research firm Gartner. It’s become so popular that it’s almost standard for companies to participate in these programs, and it’s only expected to continue to grow.
The number of vulnerabilities in software, hardware and connected devices is on the rise, Rick Moy, head of marketing at computer security company Acalvio Technologies, said. “Enlisting the help of white-hat hackers to discover them before the bad guys makes perfect sense,” he said. “This trend is gaining momentum and legitimacy with large and small private and public sector companies coming on board.”
A single hack can pay $250,000Companies like Google GOOG, +0.60% and Apple AAPL, +0.27% offer up to $200,000 as a reward for a single hack. Intel INTC, -0.19% and Microsoft MSFT, +1.60% offer up to $250,000. Microsoft launched an additional bug bounty program specifically for identity services last Wednesday with payouts ranging from $500 to $100,000.
The average payout for turning in a security vulnerability to a white hat hacker bounty program is $2,000 according to a study from HackerOne, a hacker-powered cybersecurity company that allows companies to list hacking projects for people to take on for cash bounties.
Curry uses HackerOne to find his hacking gigs. Other companies like SynAck and BugCrowd also crowd-source hacking talent.The most Curry has made in a single hack was $12,000, which he used to buy a 2014 Toyota Corolla sport car. Now, he works on bug bounty projects about 20 hours each week, working mostly from 9 p.m. to 2 a.m. after his daytime school work.
“It’s more of a side hustle than a full-time job,” he said. “I don’t think it’s healthy to be a bug bounty hunter for 40 or 50 hours a week because you lose that sense of creativity and objectivity that help you.”
HackerOne hosts bounty programs for Uber (which pays an average bounty of $500 per hack) Snapchat SNAP, +1.52% , Yahoo, Sony SNE, +1.22% , Spotify SPOT, -0.81% , Starbucks SBUX, +0.84% , and the U.S. Department of Defense.
‘Surfacing vulnerabilities before our adversaries can exploit them is essential’Awarding hackers one at a time is often cheaper than employing additional full-time security researchers. It also incentivizes online hackers to monetize their research through a legitimate avenue instead of selling hacks on the dark web to cybercriminals and nation state cyberattackers, said Chris Morales, head of security analytics at cyber threat analysis company Vectra.
“Companies hosting bug bounty programs can fix problems before they become widely known and exploited,” he said. “In the end, a software company needs to make a build versus buy decision. Do they want to run the bug bounty program on their own or can they benefit from a third party who runs one for them?”
For Oath, a digital media company owned by Verizon VZ, -0.88% , a white hat bounty program has become an integral part of its larger security program, said Chris Nims, chief information security officer, said. “Surfacing vulnerabilities and resolving them before our adversaries can exploit them is essential in helping us build brands people love and trust,” he said. In April, the company hosted a kind of hackathon where it awarded white hat security specialists more than $400,000 in one day to find vulnerabilities in its systems.
Uber covered up a $100,000 bounty paymentBug bounty programs have not been without controversy: In November 2017, the chief executive officer of Uber revealed the company was forced to pay a 20-year-old hacker $100,000 after he found a 2016 breach of 57 million customer emails and other data. The maximum payout for Uber white hat hacks at the time was $10,000. CEO Dara Khosrowshahi said in November that Uber was wrong in covering up the payment for more than a year, saying, “We are changing the way we do business.” Uber told MarketWatch it has paid $1.5 million to more than 500 researchers to date for legitimate finds.
Bug bounties are no longer just for security vulnerabilities: Facebook FB, +1.63% launched a “data abuse bounty” in April after the controversy surrounding Cambridge Analytica, a data firm that accessed the information of 87 million users. It will now reward people who report high-impact privacy flaws up to $40,000.
As for Curry, he said he has grown from finding a community of hackers to communicate with. “The great thing about the bug bounty community is that even though there is so much money involved it’s one of the most collaborative communities ever,” he said. He now runs a blog where he shares how he found different vulnerabilities and plans to continue in the security research field after college.
“There are a lot of stereotypes about hackers — for a while my family thought it was a big time sink and antisocial until I finally started getting paid for it,” he said.“I spent my life with my family thinking I was just being unproductive but now I’m getting checks for it.”