September 1, 2022

From Black Hat to Bug Bounties [Pt. 1] with Tommy DeVoss

by Hacker Valley Studio

Show Notes

We’re joined by million-dollar hacker and bug bounty hunter, Thomas DeVoss, this week as we continue our season-long discussion of offensive cybersecurity legends. A legend in the making with a success story in bug bounty hunting that has to be heard to be believed, Tommy is an incredibly successful blach hat hacker-turned-bug bounty hunter, representing how misunderstood the hacking community can be and how positively impactful bug bounties can be. Who hacks the hackers? Look no further than Tommy DeVoss.

Timecoded Guide:

[02:59] Becoming interested in hacking for the first time 

[08:26] Encountering unfriendly visits with the government and the FBI after his hacking skills progressed 

[14:20] Seeking his first computer job after prison and leveraging his hacking skills

[25:21] Discussing with Yahoo the possibility of working with them due to his successful bug boundaries

[30:56] Giving honest advice to hackers looking to break into the bug bounty scene 

Sponsor Links:

Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!

Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone

PlexTrac is pleased to offer an exclusive Red Team Content Bundle for Hacker Valley listeners. This bundle contains both our "Writing a Killer Penetration Test Report" and "Effective Purple Teaming" white papers in ONE awesome package. Head to PlexTrac.com/HackerValley to learn more about the platform and get your copy today!

When did you get into hacking for the first time?

At an early age, Thomas found his passion for hacking in an IRC chat room. Mentored by a man named Lewis and encouraged by fellow friends in the hacking world, popping shells and breaking into US systems using foreign IP addresses. Although Tommy became incredible at his craft from a young age, his early habits became serious black hat issues that ended up getting him in trouble with the US government. Just like the hacker in a big Hollywood blockbuster, the government caught up with Tommy and he faced 2 years in prison in his first sentence.

“Instead of coming back to him and saying, "Hey, I'm done," I came back and I was actually asking him questions like, "Can you explain this?” And he saw that I was like, actually interested in this and I wasn't one of the people that was just expecting it to be handed to me and everything like that.”

 

After spending time in prison, were there barriers to getting involved in hacking again?

After being in and out of prison a couple times, Tommy found the worst part of coming home to be his ban from touching any sort of device with internet access. Despite it being a part of his probation, his passion for tech continued to bring him back to computers and gaming. After his final stint in prison after being falsely suspected of returning to his black hat ways, the FBI lifted Tommy’s indefinite ban on computer usage and immediately renewed his passion for working in tech.

“They had banned me indefinitely from touching a computer. So, when I came home on probation the first time, they upheld that and I still wasn't allowed to touch computers as part of my probation. For the first month or so, I didn't get on a computer when I came home from prison, but then it didn't take long before I got bored.”

 

How did your cyber career pivot to bug bounty hunting?

With prison behind him and his ban on computers lifted, Tommy got a job working for a family friend in Richmond, Virginia for a modest salary of $30,000. Although this amount felt like a lot at the time, he quickly realized that there was money to be made in bug bounties. His first few experiments in attempting bug bounty programs had him earning $20,000 or $30,000 for hours of work, a huge increase from the salary he was currently making. Encountering success after success, Thomas quit his job in 2017 to become a full-time bug bounty hunter.

“The first bug bounty program that jumped out at me was Yahoo. I had started hacking Yahoo in the mid 90s, I knew their systems in the 90s and early 2000s better than a lot of their system admins and stuff. And I figured, if there's any company that I should start out with, it should be them.”

 

What success have you seen since becoming a bug bounty hunter, especially with major corporations like Yahoo?

Thomas has become a huge earner in the cybersecurity community, and has continued to see incredible results from his hacking and bug bounty projects. Most notably, after numerous high earning days, making up to $130K at once, with companies like Yahoo, he’s even been offered positions working with corporations he’s bug bountied for. However, Tommy is quick to point out that his success was definitely not overnight, and warns fellow hackers of getting too confident in their bug bounty abilities without the proper skill sets or amount of experience under their belts.

“I think at this point, I've had days where I've made six-digit income in that single day, at least six or seven times. And it's almost always been from Yahoo.”

-----------

Links: 

Stay in touch with Thomas DeVoss on LinkedIn and Twitter.

Check out the Bug Bounty Hunter website.

Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.

Follow Ron Eddings on Twitter and LinkedIn

Catch up with Chris Cochran on Twitter and LinkedIn

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord



Transcript

From Black Hat to Bug Bounties (Pt. 1) with Tommy DeVoss
Axonius Ad 00:21
Hey everyone, it's me, Simone Biles You might be wondering why you're hearing my voice on a
cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast like me, or an IT, or a security pro, complexity is inevitable. And I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone.
Chris 00:54
We are back with Hacker Valley Red, where we're exploring the nexus of offensive cybersecurity and humanity with a hacker’s mindset. Again, I'm one of your hosts. I'm Chris Cochran.
Ron 01:06
And I'm Ron Eddings. And we are going to continue this journey of speaking to cybersecurity legends from the offensive side of the house. We're thinking pen testers, bug bounty hunters, and also offensive operators.
Chris 01:19
One of the things that comes to mind when you talk about hackers or even just cybersecurity in general, you always think of the black hat hacker that started hacking when they were a kid and they get in trouble, and either they go to the government, or they become a consultant, and that's actually few and far between. There aren't a lot of folks in cybersecurity today that have that particular trajectory, but we have to get right to this episode because the guest for today did that route. Really, understanding his origin story is going to be incredible, it was incredible to listen to, but we are talking today to Tommy DeVoss, also called Doggy G, and he is a hacker's hacker starting from a kid, got into a little bit of trouble, and then went on to do incredible things in bug bounty and hacking in general. But without further ado, let's jump right to it. What's going on everybody? You're in the Hacker Valley Studio with your host, Ron and Chris.
Ron 02:19
Yes, sir.
Chris 02:23
Welcome back to the show.
Ron 02:26
Glad to be back again. We are joined with a legend in the making, someone that has been doing big things in the offensive side of the house, offensive operations, red teaming. We have the million-dollar hacker, also known as Tommy DeVos, also known as Doggy G. He is a bug bounty expert, but also a security engineer at Braze. And Tommy, we're so excited to speak to you, especially with all the great work that you've been doing in the field. Welcome to the podcast.
Tommy 02:56
Thank you very much. I appreciate it. Looking forward to talking with you both as well.
Chris 03:00
Absolutely. We've been looking forward to talking to you for a while now. We heard you won a big competition in 2020. And ever since, we're like, "We gotta get this guy on the show." But for the folks out there that don't know who you are just yet, we'd love to hear a little bit about your background and what you're doing today.
Tommy 03:16
Sure, I started getting interested in cybersecurity and hacking and stuff back in early to mid 90s. I started out on IRC. My first interactions with hackers, initially, was people using booters and stuff like that to kick me offline. And then one day I was trying to join new chat rooms, find new chat rooms on IRC, and I ended up accidentally joining the wrong room. And when I joined the room, I'm not sure if you guys are familiar with IRC, but you have things called operators. And when I went to this room, there were hundreds of operators in this room and each one of them was named the same thing, but it had like, a slightly different string on the end of it. And come to find out, it was EggDrop bots that were running on a different US university computer network, just about every single one in the country, and I just thought that was the coolest thing in the world. So, I kept joining the chat room because anytime I was in there, there was nobody ever talking. I was still in elementary or middle school, something like
that, so I was having to go to bed early. Of course, my parents wouldn't let me stay up at all hours of the night and the person that ran the room was actually from San Jose, California. So, the time difference between East Coast and the West Coast and everything made it so I didn't see anybody online most of the time, and I was still on a dial up connection. This was before cable modems, DSL, or anything like that. So, there was only dial ups, so I couldn't like stay connected all night and then, like, go back and see when people were talking and everything. So, I just literally would join this chat room every single day.
Tommy 04:48
After a couple of weeks, I think it was on a weekend, I actually joined and people were actually in there talking. I started to bug them like, I thought they were cool and I wanted to learn what they were doing. First, they were just like, "Who the hell was this kid?" And they kept banning me from the room, but the good thing about being on a dial up, I could disconnect and reconnect, get a new IP address, and go back in, right? After doing that for, I don't remember, it was a couple of weeks or a couple of months, the guy that owned the room, his name was Lewis, he finally was like, "Okay, go on the internet, read everything there is about hacking, and when you're done, come back and tell me." I didn't know it at the time, but it was like, a test. And he was looking for me to come back within like, a couple hours, or a day or so, and be like, "Okay, I'm done. I read everything there is about hacking. Now what?" And that's not what happened. I spent a few days reading everything that I could find and instead of coming back to him and saying, "Hey, I'm done," I came back and I was actually asking him questions like, "Can you explain this? Can you explain that? How do you do this and that?" And he saw that I was like, actually interested in this and I wasn't one of the people that was just expecting it to be handed to me and everything like that.
Tommy 05:57
So, slowly, he decided to start teaching me some stuff. He gave me my first shell account. I remember that shell account ended up getting ripped from me. We had a bunch on F Net, we had some shell channels, and people would go in there and we would trade routes, or boxes that had been routed, we would trade accounts on them and everything. And it was never a good idea to go first, unless you were trading with somebody that really was trustworthy. And well, I didn't know this and I went to trade with somebody and they ripped me. And when I was told by somebody else, when my shell stopped working, they're like, "Oh, you got ripped, your shell got ripped." Like, I freaked out. I didn't know what that meant. Like, I thought they had like, physically broken my shell or something like that. And I was like, "Well, can you help me fix it?" And they were like, "There is no fixing it when everything's like that." So, he ended up getting kind of mad at me because I wasn't supposed to go and trying trade this stuff that he had given me to get better accounts and stuff like that to begin with, but he got over it and he
kept teaching me.
Tommy 06:58
I got to the point where, I think it was around 96 or so, I started actually trying to get my own shells breaking into computer systems and everything. I originally would start targeting Unix systems and back in the day, the number one rule of being a hacker was don't hack from your internet connection, or at least computer systems in your own country. So, I would scan the Korean and Japanese IP ranges from my own system, and I would try and hack those and I would use those as jump boxes. That was one of the first things that Lewis had taught me, stuff like that. He was like, "You find a country that you don't have to worry about them coming to get you. You hack those and then, you use those to hack US companies." So, just started doing that, started building botnets, joined IRC takeover groups, and we just started going to IRC wars with groups called TNT and Glitch, back on F Net, back in the late 90s. I don't know if you guys remember, but there was a guy named Mafia Boy that hit the news a lot in 2000, because he was doing the first major DDoS of e-commerce platforms, Amazon and things like that. He was actually a rival member of a different channel takeover group. And when he hit the news, and we saw how much power was on his botnet and everything, the damage he was able to do, it made a lot more sense on why he was able to kill our connection so easily and frequently when we were going after the same chatrooms and stuff.
Tommy 08:26
So, back in, I think it was like, 1998, I saw people were doing the defacement stuff. Back then, the main defacement there was attrition.org. I ended up coming across that website and seeing where people were defacing the websites and getting them mirrored. So, I was like, "Hey, that's pretty cool." So, I started doing the same thing. And then, it just kind of snowballed from there. And then, I ended up transitioning away from the IRC takeover stuff as much, as I was preferring to go and do the defacement and building the botnets and things like that. I was never out to steal identities or anything like that. I was just doing it out of boredom, and because they said we couldn't do it. I did that for a little over a decade. US government got mad at me a few times, came to visit me in not-so-friendly way in 2000, 2002. I went to federal prison in January of 2004 for the stuff that I had done. I spent just right at two years the first time, I came home again in January of 2006. I was banned from touching the computers from when they first came after me in 2000. They had banned me indefinitely from touching a computer. So, when I came home on probation the first time, they upheld that and I still wasn't allowed to touch computers as part of my probation. For the first month or so, I didn't get on a computer when I came home from prison, but then it didn't take long before I got bored.
Tommy 08:30
I started like, at the time, I came home and I was staying at my mom's house still because when you get released from federal prison, when you're on probation and house arrest, you have to be released to a family member that will, in theory, tell when you if you break the rules and stuff. So, staying there, I would wait until my mom would go to bed and then I would sneak into her office and get on her computer a little bit at nighttime. I started out doing it for like, an hour or two, and then it got to the point where I would stay on until like, six o'clock in the morning, right before everybody was going to wake up in the house so they wouldn't catch me. And then, after doing that for a couple of weeks, it just got to the point where I didn't want to hide anymore. And I started doing the hacking stuff again, I did it in under a different alias, thinking that I was smarter this time, that they wouldn't catch me this time. I didn't trust people as much as I did previously, because that's what got me arrested, my codefendants
telling on me. And that lasted for about 14 months, and then in March or April of 2007, they paid me another visit, found a computer in my house, and violated me on probation, and sent me back to prison for another year.
Tommy 09:51
Did that year, came home, didn't waste no time. I got right back on the computer again, I got an Xbox. I wasn't allowed to have an Xbox, a gaming system or anything like that. I wasn't allowed to have a cell phone or none of that. I didn't listen, but when I came home from that time, I didn't start hacking again, like, they had taught me my lesson when it came to hacking, but I was playing games on Xbox, I was playing games on my computer, and stuff like that. I stayed out for about 18 months, and I was 3 months away from completing my probation and being released from probation, and I got raided again by the FBI, DCIS, and a bunch of other agencies in October of 2009. Come to find out, they had rented the house across the street from me for 6 months, watching me and everybody that came in and out of my house. I didn't know this until they put me in prison. One of my codefendants, one of my original co defendants, he had gone back to doing the illegal hacking and stuff again, you know? And he was working with somebody else and because of how close me and him were, when we ran were around together, they assumed that it was me. A girl that I had broken up with called the FBI and told the FBI that I was hacking again and that I was breaking into banks and stealing money, and that I was doing it from my Xbox so that I could hide the traffic in the game traffic, which caused them to launch the investigation.
Tommy 12:19
They spent the six months watching me and they couldn't get any evidence because I wasn't doing anything illegal, except for possessing the computers and getting online and stuff. So, they raided me again, they gave me the maximum time that they could at the time, locked me up, and they gave me another 15 months, I think it was, in federal prison. And their goal at that time was give me the most time that they could, so that way they had me in one place for as long as they could, to build their case against me. And they were hoping that they could pressure me into just agree to plead guilty and everything. But I kept telling them, I wasn't doing it. And the thing that annoyed me the most about this time was, every time they've arrested me and they've come at me for the things that I've done wrong, I've admitted it to them. I never tried to say that it wasn't me, or anything like that. If you come to me, saying that you've got proof that I did and everything, it's stupid of me to try to fight it. And I was like, "Well, the fact that I'm telling you all I didn't do it should tell you something there."
Tommy 13:16
They did their investigation and about 4 months into the prison sentence, the FBI actually came and visited me in the prison that I was in, down in Waynesburg, South Carolina, and they actually apologized to me. They sat there and they were like, "You know what? We've gone through your computers and everything else, and we know that it wasn't you now." They even caught the other person that was happening with my old codefendant, so they knew for absolute certainty, it wasn't me. They apologize for getting me locked back up again and everything for it all. And I was like, "Well, does that mean y'all are gonna let me out?" And they were like, "Well, the problem is, you're still in violation of your probation for having the computers and stuff. So, there's not much we can do, but we will do this." And they made it so that, instead of my probation restarting when I came home from prison, that time, they killed my probation, which in turn killed my ban from touching computers. So, as of November 3rd, 2010, on my last release from prison, I was now allowed to touch computers again. So, that was, I don't want to say that it was worth it, but at least I got something positive out of it because it was an indefinite ban up until that point.
Tommy 14:20
So, I came home November 3rd, 2010, and I immediately started looking for a computer job. But problem was in 2010, 2011, there wasn't the positive publicity for hackers and stuff, right? When hackers were in the news, it was still nothing but negative publicity. So, everybody automatically assume that if you are a hacker, you are stealing credit cards, you were stealing identities, and things of that nature. And it was really hard to get companies to be willing to give me a shot, especially when I'm just coming home from prison a couple of months ago. So, very, very few people would even have conversations with me about these kinds of jobs and stuff, because I learned early on that it's best to be upfront and honest with people about my past, because I don't want to waste their time, I don't want to waste my time. I just always tell people right up front and then 99 times out of 100, at that time, it would instantly end the call. They would instantly be like, "Oh, well, let us follow up with this and find out if it's going to be a problem, and then we'll get back to you. And if it's not going to be a problem, then we'll
continue the process." But they never got back to me. That continued until June of 2013.
Tommy 15:29
In June of 2013, I actually got lucky and there was a small startup here in Richmond called Global Works, or Synergy, they changed their name, and everything. But they helped, or help, companies like grocery stores and things like that, track out of stock items on their shelves and stuff. And using their software, they were able to cut restock times down from like 3 days to 12 hours, or something like that. And they had a system admin that had been with them since they had started the company, and he was leaving the company to go somewhere else. Well, the CTO of this company ended up being a friend of my mom's and they had talked about me occasionally over the last like, 10 or 15 years, he was up to date on everything that I had gone through and stuff like that. And when he found out that the person was leaving the company, he actually hit my mom up and was like, "Hey, can you put me in contact with your son? I've got a role coming up in here at my company, and I think he would be a good fit." So, she made the introduction. And my interview was actually meeting him and the rest of the IT
team at a bar here in Richmond on a Friday afternoon, after they were done working for the day. And it was more of a an interview to see if I was like, a culture fit more so than a skill level fit, because he already knew that I had the skills to be the system admin and stuff. So, I ended up working with them, and that ended up being my first computer job.
Tommy 16:56
I had initially heard about bug bounties in 2014, and that's when I actually signed up for my accounts on Hacker One and things like that, but at the time, it seemed too good to be true that people were going to like, let me hack into them, and then they were going to pay me money. And the last time that I went to court in October of 2009, the federal judge told me if I'm ever in the federal court system again for a computer-related charge, he was going to give me life in prison. So, it wasn't worth the risk for me. So, I didn't touch any of it. I didn't even think about bug bounties again until 2016. I was on Twitter, I was pretty active with Anonymous at the time, not the hacking aspect, but the protesting aspect of everything, I would do the million mass marches, and things of that nature. And I ended up following some people that were doing the bug bounty stuff, and I started seeing blog post about bugs people
were finding and getting paid. And I was like, "Okay, you know what? Maybe that's something that I can look into." So, I went back to Hacker One, and I tried to create an account. And it said an email address was already in use, I had completely forgotten I even signed up for this site in 2014. So, I covered my password, I logged in, and I started looking through all the programs that they had available at the time. And the first program that jumped out at me, it was Yahoo. I started hacking Yahoo in the mid 90s, I I knew their systems in the 90s and early 2000s better than a lot of their system admins and stuff. And I figured, if there's any company that I should start out with, it should be them. So, I started doing some hunting and doing some Googling and stuff like that, looking for servers to target, and ended up finding an information disclosure blog, where their admins and security engineers and stuff were using the GitHub gifs to share diagnostic logs, core dumps, and things like that back and forth, when they were trying to troubleshoot a problem. And they were forgetting to either make them private, or delete them after they were done. So, it was disclosing a ton of information. I reported that to them, and they gave me my first bounty in March of 2016. And once I got that first bounty, I was hooked. It was just like, "Alright, I know what I was going to do now."
Chris 19:18
It's almost like you going through this classic story of being a traditional black hat hacker, and then now, you're turning to the good side, trying to help folks out. But at this point, you're pretty much like, a professional bug bounty hunter, right? You're the top of the top, like, what was that process of going through that initial phase getting bit by the bug and then ultimately becoming one of the best?
Tommy 19:40
So, as I said, I got my first bounty in March of 2016. At that time, I was still with Synergy, but in order to get that job, I had agreed to start my job there for a stupid low salary, because I was literally willing to work for almost nothing, just to get my feet in the door. I was only being paid $30,000 dollars a year at that time to be the only Linux system admin and a Java developer for this company, and wasn't making much money. At the time, $30,000 was a lot to me because I had never had a job that paid me that much, but after I got that first bounty, I would spend all my free time just looking for more bugs. Then, in May of 2016, the Pentagon ran their first hack, the Pentagon promotion on Hacker One, I participated for the entire month, I ended up getting first place in that, and I ended up making, I want to say, like, somewhere between like $20,000 and $30,000, over the course of that month. So, I was looking at it, like, I just worked for like, three to five hours a night after my normal job, and just did it for a month, and
I was able to make an entire year salary. So, I started putting more effort into it, just to see what I could make. And through 2016, I only ended up making about $40,000 for the entire year, but that was still more than I was making salary from the company and everything.
Tommy 21:04
In the beginning of 2017, I was like, "You know what? I'm gonna make the leap and I'm going to quit my job and just try and do the bug bounty stuff." So in 2017, I left Synergy— End of 2016, the beginning of 2017, and I started doing just the bug bounties full time. And my first year doing it, I made just about $100,000, which was crazy money to me at the time. So, I was like, "Alright, well, I made the right decision." It was like, at that time, I was working maybe 40 or 50 hours a month, and I was able to make that $100,000. And I just kind of kept with it. And then, in 2018, I changed up how I was hacking. My complete methodology changed at the end of 2017 and into 2018. When I first started, I started out like just about everybody else does in bug bounties, I was relying on automated tools and scanners and stuff like that, and it was finding bugs. But 9 times out of 10, those bugs were duplicates, because I was using the exact same things as everybody else. So, I changed up and instead of relying on scans, I started looking for more impactful bugs that scanners couldn't find and started doing the work manually. So, I started looking for SSRFs, EyeDoors, stored accesses that required bypassing blacklist and things like that, that a normal web app scanner wasn't going to find because it tries like a basic XSS payload, and if that doesn't work, then it just moves on to the next thing.
Tommy 22:45
And when I made that switch, it drastically changed everything. I went from making about $100,000 in 2017. 2018, I made $600,000 during the course of that year, and I was still working about the same amount. And in 2018, I set my own personal records, I hit, I think, there were three days in 2018 where I made over $100,000 on each one of those days, including in October. It was like the first week of October of 2018, I had found an endpoint on Yahoo, I was hacking Yahoo almost exclusively at this point. I was doing some other programs during live hacking events, and I was doing some government stuff on Cynec at the time and everything, but most of my income was coming from Yahoo. I had found quite a few server side request forgeries on them over the earlier parts of 2018. Well, I found a new endpoint for one of them in October, and the blacklist was pretty good, but I enjoy trying to bypass the
blacklist used to protect SSRF, and I just started playing with it trying to find a way to bypass their blacklisted AWS metadata server. And I found that the AWS metadata IP is 169.254.169.254. I had tried things like, encoding the IP address in every different type of encoding that was possible doing DNS rebinding, and things like that, and none of it worked. Well, something told me to try, instead of encoding the entire IP address, I took just the first octet, the first 169 and I encoded that into octal encoding. And I left the rest of the IP address the same and it bypassed their blacklist, so it let me hit AWS metadata server. So I was like, "Alright, sweet." So, I wrote up that report. And then I was like, "You know what? I wonder how many other places on Yahoo this would work." So, I started going through my reports on Hacker One, and every single SSRF that I had reported over the last year, I pulled each one of those up and I tried the same trick on that, and it worked on 18. So, at the time Yahoo was paying $10,000 per SSRF. So, I ended up having 18 SSRF at $10,000 each. So, I ended up making $180,000 for about four hour’s worth of work.
Chris 25:16
And then they were like, "You know what? Let's just bring him in. We're paying him anyways."
Tommy 25:21
Well, we have talked several times about me going and working for them, but at the time, it didn't really seem financially like the right move for me. In 2018, I made $600,000. In 2019, I need 900,000. So, it's like, if I would have gone and worked for them in 2018, I would have significantly crushed my income, because it's like, if you're working for them, you can't do the bug bounties for them. So, my plan had been, I'm on a kind of like ride this until the wheels fall off, I'm going to keep going until I don;t any more money from them. And then once that becomes the case, then I'll talk to them about maybe going to work for them or whatever. Yeah, 2018 and 2019. I think at this point, I've had single days where I've made six-digit income in that single day, at only six or seven times. And it's almost always been from Yahoo. And yeah, including actually the day that you referenced in the beginning of this.
Tommy 26:22
So, Hacker One has these life hack events, pre-COVID. Each month, Hacker One had a life hacking event in a different city, somewhere in the world. For four days, they would invite anywhere from 50 to 200 hackers to that city, they would pay for our flights and our hotels and everything. They would fly us in. Our first day would be the travel and in day, the second day would be a sightseeing day where they would kind of like, give us a tour of the city and stuff. The third day was hacking day, you actually get taken to this one little spot, we're all put into a room and we spend about 8 to 10 hours hacking on them, and getting bounties and stuff like that. And that goes all night, you know, because once it's done, they do all the awards and everything. And then, everybody's so happy because we've just made a ton of money. So, we end up having a party afterwards, that's the Hacker One party. And then, after
Hacker One events, you always end up at a karaoke spot after the party and everything like that. And then the last day, of course, is the relaxed day slash traveling back home and everything. And that was their events, they follow the naming format of H1 dash and then the area code for whatever city you're in, they use that in the name. So, that event was H1415. I think it is 415, I think is the area code for San Francisco.
Tommy 27:47
So, that was actually the last live hacking event that was thrown before COVID hit everything. And I think I won that event, I made about $130,000 for that day, but the thing about the live hacking events. Initially, it was— The very first live hacking event for Hacker One was H1702 in Las Vegas during DEF CON 2016. And for that one, we didn't know who the targets were in advance, it was a 3-day event, we would get to the suite that they had rented out at the MGM, and when you walked in, that's when you found out who your target was. And we would get a new target each of those 3 days. Well, after that, the hacking events slowly evolved. So, instead of only getting the 8 hours of the day at the event of hacking, they started giving us the companies two weeks in advance and opening up the like, pre-event hacking so that you were able to do hacking for the week or two leading up to the event and submit the bugs. And then, they would triage them and pay them on the event day. And then, you would still be
hacking them and stuff that day as well, but they found that they got better results for their customers and more bugs and stuff when they would give us two weeks before the event to hack them, instead of only confining it to the bugs that we could find that day and stuff. So, the $130,000, I got paid on one day, but it was over the course of about a week, week and a half, of hacking leading up to the event that, so it wasn't technically all from one day to hacking.
Ron 29:26
I think many people won't complain about a $130K over a week and a half.
Tommy 29:32
You can't really complain about it, but I'm glad you said that, because I get a lot of messages and comments on my tweets and things like that, of people wanting to do what I do and stuff. And I think the biggest problem not with new bug hunters, but for bug bounty hunters, is they see all of us sharing on Twitter and stuff like that, when we're successful and making these huge sums of money. So, they're expecting that they're going to be able to come in and do the same thing, you know? And that's just not realistic. And one thing that many new bug bounty hunters fail to take into account is the fact that we fail significantly more as a hacker, then you're ever successful, even the best hacker in the world fails 5 to 10 times more often that he or she is actually successful in hacking whatever their target is. But none of us publicize when we have those failures. We only talk about when we're successful, and everything. So, that's all these new people are seeing, or people that aren't even from the industry. All they're seeing is all of these success stories and stuff, so they're wanting to get into this. They're thinking that there's some like, secret or special sauce or special program that we can run that helps us do this kind of stuff.
Tommy 30:56
I see on Twitter all the time, where people have decided that they wanted to start doing bug bounty hunting, and they've quit their jobs. And they're just doing this and it's been six months, and they still haven't found a single bug and everything. And it's like, I don't understand how people can logically think that that was a good idea. First off, doing bug bounties and stuff full-time is not for everybody. You can make a living from it, especially where you're from definitely impacts your ability to make a living from it as well. If you live in a country whose median income for the country is extremely low, then it's a lot more viable to try to make a living out of this. But if you live in the US, Germany, the UK, or something like that, where the cost of living is higher than some of these places, it makes it a lot harder to do bug bounty hunting full time. And I try and tell people all the time, first off, don't just quit your jobs and start trying to do this. You need to spend years leading up to that point, don't quit your jobs before you've ever found your first bug and gotten your first bounty, that just doesn't make logical sense to begin with and it's just a bad decision.
Tommy 32:07
Don't come into this thinking that you're going to be able to replicate my success, or try to hack me, or Franz Rosen, or someone like that. A lot of us have been doing this for a very long time. Mark Leitchfield has been a hacker for as long as I have, he started doing this in the 90s as well, but he never took the route that I took, going the black hat route first. He started on the good side, he started out as a white hat with his brother and everything, but he still has two decades of experience of hacking systems and helping secure them and stuff like that. Most of us that are the top-earning hackers, we've gotten this experience from, if not decades, that at least like, close to 10 years. Now, there are exceptions to that, because you've got Nathaniel Waco, hell of a hacker, but he's young as shit. I think he is maybe 25 or so right now, but he's one of those people that he didn't come into this expecting to be instantly successful. He understood that he had to come into this and he had to put in the effort, he had to put in the time of learning things, and understood that when it comes to hacking, you can never stop learning.
Ron 33:21
So, Chris, you were saying for a while that we gotta have Doggy G on the podcast, that we have got to reach out to him. And we've been reaching out to him, and I'm so glad that we had the opportunity to speak to him because this story, the story that he presented to us about his background, and just how we got started in cybersecurity and hacking, it's incredible. It almost feels like this episode was a movie for me.
Chris 33:43
100%. Like, just all the way through the start of a movie, but what's really interesting about this is, with our sponsor for this season, PlexTrac, there's a lot of similarities between what he was doing with Hacker One, and what PlexTrac does for cybersecurity practitioners. Because when he's doing his bug bounty stuff that is scaling your cybersecurity program. You're inviting other folks to find the holes, the bugs, and then you take that information, you put it in Hacker One, and then they use that information to fix their security program. Same thing, you can do with PlexTrac internal to your organization. So, whether you have a red team, or whether you have people that are really focused on finding the gaps, the holes, the vulnerabilities in your environment, then you can communicate that to the blue team, so they can close out those gaps and be that much tougher of a target for folks like the old Doggy G.
Ron 34:37
Yes. And by the way, we would highly recommend everyone to check out Plex Trac. Not only are they a sponsor, but they are also friends of Hacker Valley. And you can check them out by visiting PlexTrac.com/HackerValley.
Chris 34:57
One thing we didn't mention is that this is going to be a two parter. That's right, we're not done with Tommy. He goes on to tell so many more stories and some incredible advice for everyone out there in cybersecurity. So, be sure to check out part two, coming right up. See you soon.

00:00:00