The black hat-turned-ethical hacker who thought HackerOne was ‘too good to be true’ has earned more than $1 million in bug bounty payouts

Tommy DeVoss, HackerOne

The value of bug bounties lies not just in finding insecure code, but also in giving hackers a legitimate outlet to express their talent and earn a living.

Unfortunately, the concept didn’t exist when Tommy DeVoss learned how to hack at the age of 10 before breaking into websites as part of hacker groups including ‘World of Hell’, activities that resulted in a four-year stretch in federal prison.

Ironically, while hacking into US government and military assets led to his arrest by the FBI at the age of 19, the US Department of Defense is now one of his biggest HackerOne ‘clients’ – and, he argues, the best training ground for a legitimate hacking career.

Speaking to The Daily Swig, DeVoss, who lives in Richmond, Virginia, recounts how he got into ethical hacking after a spell in software development that followed his release from jail in 2008.

One of a handful of bug hunters to cross the $1 million earnings threshold, he also discusses his preferred vulnerabilities and hacking tools, whether it’s getting harder to find security flaws, and why he’s job hunting again despite earning thousands of dollars from a few hours’ work.

How did you get into ethical hacking?

I started in 2016. I heard about bug bounties in 2014 from a friend, but it sounded too good to be true.

I’m a convicted black hat and will spend the rest of my life in jail if I [cross the law] again.

But I saw some blog posts from other ethical hackers, which made me take it more seriously and I started hacking on Yahoo’s bug bounty program.

Tommy DeVoss and his fellow HackerOne hackersTommy DeVoss (far left) was one of the world’s first hackers to earn $1 million in bug bounty payouts

Do you tend to favor particular types of vulnerability?

I made just under $1 million by hunting server-side request forgery [SSRF] bugs, and they are my bug of choice.

It pays out really well – at least for Verizon Media, as they average about $10,000 for a server-side request forgery that can [compromise] internal assets. [DeVoss has found more than 200 valid bugs for the US media giant.]

What hacking tools do you tend to use?

Burp Repeater, Intruder, and Turbo intruder – and that’s about it.

I don’t use any automation, aside from subdomain discovery and content discovery, which I use Aquatone, Sublist3r, and Altdns for. The rest is done manually with Burp Repeater.

RELATED ‘I’m not a fan of critical bugs’ – Santiago Lopez on becoming the world’s first bug bounty millionaire

Is it getting harder to find bugs as developers become savvier at coding securely?

It’s definitely getting harder to find bugs, but since more and more companies and government organizations are doing bug bounty programs, there’s never a lack of bugs to find.

As long as people are the ones writing code, there’s always going to be insecure code.

I don’t think we’re ever going to have a shortage of bugs. As more and more people get into bug bounties, the competition’s definitely going to get harder, but I believe people will still be able to make a living from this if they are determined enough.

You’ve clearly earned a good living from bug bounties, but is the income quite variable from month to month?

It really depends on how much I feel like hacking on any given month. I tend to stop working after a big bounty.

Last year I worked about nine hours a month and made $900,000.

I keep trying to force myself to work 40 hours a week to see how much I can earn in a year, but I never get around to it – I’ll just make $100,000 in a day and then stop.

I need some structure to my day. It’s 11:15am here and I woke up about 20 minutes ago – and I'm going back to sleep when this interview’s over

Do you still enjoy hacking?

I’ll never stop doing it. This is what I do for my sole source of income.

I’m currently looking for a job, but even when I get a job, I won’t stop doing bug bounty and hacking.

Why are you’re looking for a job if bug bounty is so lucrative? And what kind of job are you looking for?

I’m looking for a security job, just because I’m bored and I miss working with people.

I need some structure to my day, as I’m not very responsible when it comes to managing my day correctly. It’s 11:15 in the morning here and I woke up about 20 minutes ago – and I’m going back to sleep when this interview’s over.

Hack The Army, US Department of Defense bug bountyTommy DeVoss says the US DoD bug bounty program is a good starting point for novice hackers

To what degree has the term ‘hacker’ been decoupled from criminality in the popular imagination?

It is definitely changing. I started hacking back in the mid-90s, and back then you were automatically seen as the bad guy if you were a hacker.

But nowadays, while a lot of people still have that kind of thought process, you have a lot of other people recognizing that not all hackers are bad.

One thing that has helped a lot has been the US government launching bug bounty programs, which helped legitimize us because people think that if the US government trusts us to do it, well it must be pretty legit.

DON’T FORGET TO READ Cybercrime isn’t the exciting career it’s cracked up to be, say academics

What would your advice be to an aspiring or novice hacker?

First off, you can’t come into this expecting to be successful right off the bat.

It takes a lot of time to learn what [bug bounty] programs want and the types of bugs they will pay for. It takes time to start finding bugs that aren’t duplicates.

So, I send a lot of people to the US Department of Defense vulnerability disclosure program. They don’t pay bounties, but they have every single technology and use that is available on the internet, including systems from way back in the 80s and 90s.

There’s no company that really compares to that, so it’s an amazing place to learn different architectures and development stacks to start finding bugs.

Where did you get your social media handle, @Dawgyg, from?

I don’t remember! I started using it in 1997. I started out with the alias ‘Nike Guy’, but after I got into trouble the first time, I didn’t want to make it easy for the FBI to know it was me, so I changed it to Dawgyg.

RECOMMENDED Collaborative bug hunting ‘could be very lucrative’ – security pro Alex Chapman on the future of ethical hacking