This ex-con hacker just made over $100,000 in a single day helping companies plug up their cybersecurity
- Tommy DeVoss did time in three federal penitentiaries for hacking, but last year he made $902,000 by helping companies find security vulnerabilities.
- A San Francisco company called HackerOne brings hackers and companies together on their website and for events where hackers earn money and companies get security help.
- On Friday, DeVoss earned a little over $100,000 in a single day at a special HackerOne event.
- Hacking competitions reward hackers with big money - $40 million in 2019 - for helping companies find vulnerabilities in their websites and platforms.
- Not all hackers have an outlaw persona: Jesse Kinser, the first woman ever inducted to Hackerone's "H1-Elite" hall of fame, is a security professional at a software company who mentors other women breaking into security.
- Visit Business Insider's homepage for more stories.
Tommy DeVoss, who hacks into computer vulnerabilities under the name "dawgyg," is literally a white-hat hacker - the industry term for a good guy who helps protect organizations. It's a baseball cap backwards and cockeyed on his head, but it is white.
Yet he is happy to discuss his three stays in federal penitentiaries when he was on the other side of the law. He'll even postpone taking a smoke break to give you his full attention.
DeVoss made $101,000 on Friday "doing the same thing the government put me in prison for" - finding security glitches in a competition known as a "bug bounty" hackathon. His host was HackerOne, a San Francisco company that helps organizations including the US Defense Department find and fix critical vulnerabilities by giving hackers like DeVoss a platform where he can work. "Now I can still do what I love and get paid for it instead of going to prison."
Last year DeVoss made $902,000 in "bug bounties" competing to find vulnerabilities for companies, according to HackerOne's leaderboard, and he has made $1.5 million overall. Much of that came from Verizon Media, the company that owns Yahoo, which has been beleaguered by criminal hackers stealing email credentials and other data.
"I firmly believe Yahoo is a better company today because of hackers like me," says DeVoss, 36, of Richmond, Virginia. He dropped out of high school, tried college, and spent a total of four years incarcerated for violations of the 1986 Computer Fraud and Abuse Act, a law he believes is outdated. DeVoss says he didn't steal data, he just found vulnerabilities, and for that he was punished.
A booming industry
A HackerOne report released Monday during the RSA Security Conference in San Francisco says hackers earned approximately $40 million in bounties paid by companies in 2019 - nearly as much as in all preceding years combined. Eight hackers have earned $1 million in HackerOne bug bounties since 2012.
HackerOne, which was founded in 2012, announced $36 million in venture capital investment in September, bringing the company's total funding amount to over $110 million. Investors include Benchmark, New Enterprise Associates, Dragoneer Investment Group and EQT Ventures.
Hacking "started in the darkest underbelly of the internet," HackerOne's report says, "now it's a professional calling." The company's research shows that 78% of hackers in their bug bounties use that experience to find and compete for jobs.
In cybersecurity's talent-hungry jobs market, hackers like DeVoss are a hot commodity. There are a half-million empty cybersecurity jobs in the United States, according to the November report from the nonprofit ISC2, an industry association that helps IT pros get certified for jobs. The group says there are 4 million unfilled cybersecurity jobs globally.
Hacking is as common-sense as stress-testing in any other industry, argues Alex Rice, a founder of HackerOne's, and its chief technical officer. "A deep understanding of how things fail and how they breach is a core competency." He says HackerOne encourages recruiting of hackers at its event. "Anyone in security is constantly in hiring mode."
Jesse Kinser joins the elite
Not all hackers have DeVoss' outlaw swagger. Jesse Kinser, who hacks under the name "randomdeduction," is director of product security at LifeOmic, a software company that uses cloud, machine learning, and mobile devices to find new solutions for healthcare providers.
Last week, Kinser became the first woman to join the "H1-Elite," Hackerone's distinction for the top hackers on its service, to earn a poster depicting her on a classic comic book cover - a kind of plaque for the company's hacker hall of fame.
"People who identify as women are definitely outnumbered" in the hacking world, says the former Department of Defense worker from Bloomington, Indiana. "I feel very welcomed in this community. There are definitely other places in the hacking world where I don't feel that way."
The perception of hackers is changing, HackerOne's Rice says, and Kinser is a great example of that. She donates 5% of her bug-bounty winnings to charity and mentors other women in cybersecurity. "She's helping us close the gap between the people who build software and the people who like to explore how to break it."