For Hackers, It Pays to Be Nice

By Clinton Pownall
 President & CEO
Computer Business
 Consultants

There’s an old country song made popular by Willie Nelson and Waylon Jennings: “Momma, Don’t Let Your Babies Grow Up to Be Cowboys.” These days you could sing the same sad song about hackers . . . unless, that is, they grow up to become white hat hackers, in which case they may become millionaires, while doing the world a lot of good.

Hackers often say they are driven by curiosity and the challenge of breaking into systems that others have tried to keep them out of. Along they way, too many descend into a deeper form of criminality, using their skills to steal funds, abscond with intellectual property, or to extort funds in the form of ransomware. These are the ones who, figuratively speaking, wear the black hats, just like the bad guys traditionally did in old cowboy movies.

Fortunately, hundreds of thousands of hackers are discovering the joys—and financial benefits—of becoming white hat, or ethical, hackers, employing their skills to help software development companies, corporate enterprises, government agencies, and other organizations find software vulnerabilities early, before they can be taken advantage of by cyber criminals.

The business magazine Forbes was quick to celebrate this new trend, headlining its story on young white hat hackers “How To Make $1 Million From Hacking: Meet Six Hacker Millionaires.”

Teenage Millionaire: White Hat Hacking from Home

The story included a profile of Santiago Lopez, 19, who while still living at home with his parents became what’s believed to be the first documented case of a hacker earning a million dollars in bounties. Making the story even more compelling, Lopez told Forbes “I am a completely self-taught hacker, and learned through the internet, online tutorials and by reading books.”

Lopez is part of HackerOne, an organization that connects white hat hackers with organizations offering bounty rewards for finding vulnerabilities in software, or for attempting to penetrate cyber defenses, so any holes can be found and remedied before being detected and exploited by bad actors. The organization reports that in 2020 its community of white hat hackers had grown to more than 600,000, and continues to grow globally, as their work protects “1,700 companies and government agencies.”

HackerOne isn’t alone in crowd-sourcing white hat hacking to identify vulnerabilities. Synack, has a “Red Team” which it describes as “an elite team of the world’s top cybersecurity researchers—drawn from over 80 countries, recruited for their skill, and chosen based on trust.” The company offers “Crowdsourced Vulnerability Discovery” and “Crowdsourced Penetration Testing.” Security Testing Platform. Bugcrowd says: “We’ve aggregated the expertise of hundreds of thousands of highly specialized cybersecurity researchers and infused it into our intelligent platform.”

Meanwhile, large companies like Apple, Facebook, and Google, have long offered bounties to hackers who discover and report vulnerabilities. ZD Net reports that the US Department of Defense pays white-hat hackers through programs dubbed “Hack the Pentagon,” “Hack, the Army,” and “Hack the Air Force.”

From Hacker in Prison to Millionaire

Another of the hacker millionaires profiled by Forbes is Tommy DeVoss, who “started his hacking career on the wrong side of the tracks. He was convicted in 2000 for stealing AOL accounts to use them for breaking into military computers.” After a second stint in prison, and faced with the potential of a third conviction becoming a life sentence, Forbes reports he turned his life around by employing his hacking skills in a computer security job, and then discovering HackerOne, through which he became a millionaire through discovering and reporting vulnerabilities.

It makes for a great combination: The adventure of hacking + Getting paid for what you discover + and being on the right side of the law . . . being celebrated, rather than convicted. They can even be in it just for the money, and still do good.

“Security experts can now earn over 40 times the median salary of software engineers through bug hunting,” Laurie Mercer, a security engineer at HackerOne, told Forbes. “And thus a new profession has been born: one where hackers can be paid handsomely for helping to create a safer digital world, one bug at a time.”

Billions of Dollars in Rewards

A Business Insider article, “Here’s what it’s like being a hacker millionaire under the age of 25,” noted that “Big companies can pay extremely handsomely for bug bounties. Apple recently offered a $1 million bounty to anyone who can crack into an iPhone using a specific hack.”

In a follow-up to its original article, Forbes carried the headline “These Hackers Have Made $100 Million And Could Earn $1 Billion By 2025.” In the article HackerOne CEO Marten Mickos explained that the average breach costs an organization about $8 million, and that its community of hackers has so far discovered 170,000 vulnerabilities. The need for—and potential earnings of—white hat hackers are through the roof.

“We estimate that there are around 100 million security vulnerabilities still out there in the wild,” Mickos said. “We predict [HackerOne] hackers will have earned $1 billion in bug bounties within five years, protecting companies and governments alike from persistent and ephemeral threats.”

Just like in those old westerns, the white hats might bring about a happy ending.

Brian Gorenc, Senior Director of Vulnerability Research at Trend Micro, believes that the hundreds of thousands of white hat hackers, powering crowd-sourced vulnerability research, might out power the efforts of bad actors.

Gorenc has said: “We’re pushing things forward, we’re making it harder and eventually you’re going to drive the cost of exploitation up enough that you’re going to force people to do something else, to go after another angle to make money. ”


Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelors of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Directors for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce and the Orlando Economic Partnership.