We’re joined by million-dollar hacker and bug bounty hunter, Thomas DeVoss, this week as we continue our season-long discussion of offensive cybersecurity legends. A legend in the making with a success story in bug bounty hunting that has to be heard to be believed, Tommy is an incredibly successful blach hat hacker-turned-bug bounty hunter, representing how misunderstood the hacking community can be and how positively impactful bug bounties can be. Who hacks the hackers? Look no further than Tommy DeVoss.
[02:59] Becoming interested in hacking for the first time
[08:26] Encountering unfriendly visits with the government and the FBI after his hacking skills progressed
[14:20] Seeking his first computer job after prison and leveraging his hacking skills
[25:21] Discussing with Yahoo the possibility of working with them due to his successful bug boundaries
[30:56] Giving honest advice to hackers looking to break into the bug bounty scene
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac is pleased to offer an exclusive Red Team Content Bundle for Hacker Valley listeners. This bundle contains both our "Writing a Killer Penetration Test Report" and "Effective Purple Teaming" white papers in ONE awesome package. Head to PlexTrac.com/HackerValley to learn more about the platform and get your copy today!
When did you get into hacking for the first time?
At an early age, Thomas found his passion for hacking in an IRC chat room. Mentored by a man named Lewis and encouraged by fellow friends in the hacking world, popping shells and breaking into US systems using foreign IP addresses. Although Tommy became incredible at his craft from a young age, his early habits became serious black hat issues that ended up getting him in trouble with the US government. Just like the hacker in a big Hollywood blockbuster, the government caught up with Tommy and he faced 2 years in prison in his first sentence.
“Instead of coming back to him and saying, "Hey, I'm done," I came back and I was actually asking him questions like, "Can you explain this?” And he saw that I was like, actually interested in this and I wasn't one of the people that was just expecting it to be handed to me and everything like that.”
After spending time in prison, were there barriers to getting involved in hacking again?
After being in and out of prison a couple times, Tommy found the worst part of coming home to be his ban from touching any sort of device with internet access. Despite it being a part of his probation, his passion for tech continued to bring him back to computers and gaming. After his final stint in prison after being falsely suspected of returning to his black hat ways, the FBI lifted Tommy’s indefinite ban on computer usage and immediately renewed his passion for working in tech.
“They had banned me indefinitely from touching a computer. So, when I came home on probation the first time, they upheld that and I still wasn't allowed to touch computers as part of my probation. For the first month or so, I didn't get on a computer when I came home from prison, but then it didn't take long before I got bored.”
How did your cyber career pivot to bug bounty hunting?
With prison behind him and his ban on computers lifted, Tommy got a job working for a family friend in Richmond, Virginia for a modest salary of $30,000. Although this amount felt like a lot at the time, he quickly realized that there was money to be made in bug bounties. His first few experiments in attempting bug bounty programs had him earning $20,000 or $30,000 for hours of work, a huge increase from the salary he was currently making. Encountering success after success, Thomas quit his job in 2017 to become a full-time bug bounty hunter.
“The first bug bounty program that jumped out at me was Yahoo. I had started hacking Yahoo in the mid 90s, I knew their systems in the 90s and early 2000s better than a lot of their system admins and stuff. And I figured, if there's any company that I should start out with, it should be them.”
What success have you seen since becoming a bug bounty hunter, especially with major corporations like Yahoo?
Thomas has become a huge earner in the cybersecurity community, and has continued to see incredible results from his hacking and bug bounty projects. Most notably, after numerous high earning days, making up to $130K at once, with companies like Yahoo, he’s even been offered positions working with corporations he’s bug bountied for. However, Tommy is quick to point out that his success was definitely not overnight, and warns fellow hackers of getting too confident in their bug bounty abilities without the proper skill sets or amount of experience under their belts.
“I think at this point, I've had days where I've made six-digit income in that single day, at least six or seven times. And it's almost always been from Yahoo.”
Check out the Bug Bounty Hunter website.
Purchase a HVS t-shirt at our shop
Continue the conversation by joining our Discord
Nick Lantuh, CEO of Interpres Security, joins Ron Eddings on the mic at Hacker Valley’s “On the Big Screen” event to talk about how Nick’s previous career experience have given him unique insight into the cyber...
In this episode, Host Ron Eddings is joined by Vishal Dixit, Co-founder & CTO at Graphus Inc., and Sven Bechmann, Senior Product Manager of Email Security at Kaseya to dig into how phishing attacks are evol...
In this episode, Andrew Forgie takes us on his journey from his early days as an Apache helicopter mechanic in the military to his current role as a regional sales manager in cybersecurity. Andrew shares his t...
In this episode of Hacker Valley Studio, we dive into the inspiring journey of Zinet Kamal, an immigrant from Ethiopia who has carved a niche for herself in cybersecurity. Despite starting her journey with limi...
In this episode, Host Ron Eddings catches up with repeat guest, Gary Hayslip, CISO at SoftBank Investment Advisors and co-author of CISO Desk Reference guide. Gary explains that the varied nature of his current...
In this episode, Host Ron Eddings and guest Or Eshed, CEO of Layer X, discuss how changes in IT infrastructure, employee behavior and malicious tech have created an era where browser security is a must. Or deta...
In this episode, Host Ron Eddings talks with guest Isaac Clayton, Senior Research Engineer at NetSPI. Ron and Isaac discuss the importance of ASM for organizations of all sizes, the challenges of asset identifi...
In this episode, Host Ron Eddings dives deep into crafting a resilient cybersecurity approach with guest speaker Bill Bernard, VP of Security Strategy at Deepwatch. Bill discusses the necessity of understanding...
In this episode, we’ll take a walk down memory lane. Hacker Valley looks back to 2023 to bring you some of the best clips with great advice and insight into being more creative, reflective, and resourceful with...
In this episode, Host Ron Eddings, discusses new tactics of adversaries with Director of Threat Research at Sysdig, Michael Clark. Michael digs into the cloud and shares trends about the AMBERSQUID operation an...
Are you the best kept secret in cybersecurity? Let's change that by partnering together for podcast ads, social campaigns, and your next event or keynote. Send us your details to get started.