Bug bounty hunters score big dollars and the boom's only just begun

Reg man Darren Pauli hangs with happy hackers-for-hire

14 Reg comments Got Tips?

A tale of two very naughty boys

When Wakelam says "we've made a lot of money", he's referring to his hacker mate Shubham Shah, 19, whom he met as a 14-year-old on internet relay chat.

Pals ... Nathan Wakelam and Shubham Shah (Image: Darren Pauli)

While separated by state boundaries – Wakelam lived in Melbourne and Shah 100km away in Sydney – the pair would follow similar trajectories at school and into their young work lives as security consultants by day and bug bounty hunters by night.

Shah aced his final school exams, ranking fourth in his year and quickly publishing a school exam preparation app that was would be soon touted by the State Government launched by State education minister Adrian Piccoli.

Shah can also walk on the wild side, because his curiosity was only matched by his lack of concern for rules. "I was almost expelled," Shah says. "They legitimately despised me for ages."

As a 13-year-old in his first year of high school, he cloned and sold bus tickets for $10 less than their $25 face value. About 50 kids bought the fakes each month adding up to hundreds of dollars. That same year he would break into a teacher's administration account and change student home addresses to 123 Pirate Street, just for a laugh.

He was busted in CCTV footage and suspended.

In his third year of high school he spun up an authenticated web proxy and granted 60 students across two schools access so they could bypass the Bluecoat firewalls at the Department of Education in the Australian state of New South Wales had put in place. Some kid snitched and he was suspended again.

His final suspension for flipping bulk quantities of iPhones at school came with the threat of expulsion. "It shows how much of a fuck-up you can be," Shah says.

Wakelam had a similar story; from early years of high school he was getting busted at school and was using his knowledge of tech to legitimately make thousands of dollars without - and he would say in spite of - the help of teachers.

"I didn't like school and I didn't fit in," Wakelam says over beers in a dive bar in Fitzroy, Melbourne. "Not because I was a nerd or anything, you know, I used to enjoy different things - like I'd still go to parties and get f*cked up, but I read a lot and maintained my education. I just didn't buy into the idea of standardised learning and didn't think the skills (from school) would be the things that would help me with my future."

The son of a nurseryman and daycare nurse, Wakelam's escape from high school came at the end of his third year. His parent supported that decision, which he now credits as a far-sighted decision.

Bug bounties were a perfect fit for the drop-out both as a cash cow and a means to fill holes in a CV missing what he calls "checkbox bullshit" like a university degrees. Wakelam's resume now is largely a list of the bugs he has found which he expands on in interviews, telling employers about his methodologies and the relevance of the vulnerabilities to the affected businesses.

Ridlinghafer's money machine

In September 2013 Wakelam was working the phones in a call centre for about A$500 a week. It didn't last. Two months later he would find and submit a bug under Yahoo!'s then new bounty program and clear AU$15,000 for about 20 hours work. Wakelam quit the call centre the next day and left before lunch.

In the first year he cleared US$75,000 in bug bounty payments for working 20 to 40 hours a week. In 2015 he scored US$250,000, his second year as a serious bug hunter. He also landed 500,000 United Airlines flight miles for a single bug, enough for a few first class flights to the US.

Shah's first employer suffered a similar fate. The then burger-flipper threw in his apron and a wage of A$6.50 an hour pocket to chase bug bounties. "I was sick of it, so I decided to go into bug bounties and I actually made like $500 or $1,000 a time for submitting really simple bugs," he says.

In 2015 Shah met Wakelam, who shared some bounty-scoring tips. Shah then cleared US$50,000 in his first two months as a full-time hunter, one bug alone bringing him US$30,000 after 30 hours of hacking.

Some readers might at this point wonder if two admitted miscreants might be making up their hauls. The Register has seen balance sheets and invoices which match Wakelam's and Shah's claims.

"I made (US)$17,500 from one bug alone," Shah told The Register during the Wellington Kiwicon hacker confab in December. "I've got another 25 or something owing." An invoice seen by this reporter shows another dozen ready to be paid, adding up to nearly US$37,000. One critical bug is worth more than US$13,000. "I'll hack for about 40 hours a month and pick one week where I make most of my money, and then I'll have a break."

The duo prefer the money multipliers of private invite-only bug programs of the kind hosted through Hacker One. Researchers cannot apply to play in these higher-value bounties and can only hope HackerOne handpicks them for the job. Selection criteria are secret but as Wakelam ranks in the service's top 10 most accurate and prolific bug submitters he's often called on to help. Shah bounces around further down the top 100 list and still gets taps for the lucrative bounties.

It is worth the wait for the call to come from a program like HackerOne, as Wakelam reckons the same bug which attracts $25 on a public bug program can land $7000 in a private bounty. "You're typically adding two zeros to the reward," he says. Researchers throwing in a professional report explaining why the bugs are relevant to the business and how it could result in serious loss could earn even more.

The pair's favourite money-spinning bug bounty program is run by a company seemingly built of blank cheques. The organisation is a household name to virtually everyone in information technology but did not want to be named for this story. Wakelam and Shah say the company's bug bounty program is a model on which others should be built with its wide-reaching target scopes and agreeable security team which seeks to reward rather than reprimand hackers who report bugs found outside of predefined boundaries.

They hack for public programs too, for job variety as well as cash. Uber, Yahoo!, and United Airlines are but a few of the companies they've considered.


Biting the hand that feeds IT © 1998–2020