Sam Curry, an 18-year-old student in Lincoln, Neb., has been obsessed with computers from a young age, but his hobby wasn’t always a constructive one.
As a sophomore in high school, he got in trouble for hacking into his school’s computers. He found a way into the system that allowed him to pose as an administrator. He could have changed student grades or done real damage, he said, but just wanted to enter the network as a prank. School administrators were not amused, and suspended him for two weeks.
The next time he found a security vulnerability, rather than exploiting it, he reported it to the high school administration. They gave him a $50 gift card to fast-food restaurant Subway as a reward. “That is the first time I realized there is a positive outlet for this work, and maybe I could get paid for it,” he said. He turned his coding skills into “white-hat” hacking. That is, hacking systems to protect companies, not expose them.
Since then, Curry has made more than $100,000 from legally hacking high-profile institutions including the U.S. Department of Defense, video game company Valve, and Yahoo. He is one of a growing number of hackers cashing in on “bug bounties” — monetary rewards that organizations pay hackers to expose vulnerabilities in their systems.
This kind of crowdsourced security testing is “rapidly approaching critical mass” according to a June 2018 report from industry research firm Gartner. It’s become so popular that it’s almost standard for companies to participate in these programs, and it’s only expected to continue to grow.
The number of vulnerabilities in software, hardware and connected devices is on the rise, Rick Moy, head of marketing at computer security company Acalvio Technologies[1], said. “Enlisting the help of white-hat hackers to discover them before the bad guys makes perfect sense,” he said. “This trend is gaining momentum and legitimacy with large and small private and public sector companies coming on board.”
A single hack can pay $250,000
Companies like Google GOOG, +0.55%[2] and Apple AAPL, +0.42%[3] offer up to $200,000 as a reward for a single hack. Intel INTC, -0.17%[4] and Microsoft MSFT, +1.65%[5] offer up to $250,000. Microsoft launched an additional bug bounty program[6] specifically for identity services...