At this stage he knew he wanted to be an engineer but didn’t know what sort of engineer. He chose computer science when he went to university simply because he had attended a basic programming class at the same time he was introduced to engineering. When the time came to decide, he chose computer science because, “At that point, I had more experience in building programs than I had in building bridges.”It wasn’t until he was at university, around 2010, that he learned cybersecurity existed, and he began to be curious, even though the university had no cybersecurity course. He checked out a couple of SANS courses. “They were out of my budget, but I found a software development internship where one of the projects was security development. That’s where I really understood that cybersecurity was an interesting field – there was a sort of cat and mouse intrigue to it.”But even into his early career, there was no plan to focus on security. He graduated university with a computer science degree, got a first entry level software job, and still had no idea that he would go into security, never mind become a computer hacker. “I just wanted to be an engineer.” It wasn’t until 2016 that he got his first security-related job, and another three years before he started his hacking career.“I was working on the application security team at New Relic. Previous work had mostly been in vulnerability management, so I still didn’t understand hacking. But part of my job was working with our bug bounty program, where we were paying good money for researchers to find bugs on our platform. I was astonished at how simple and elementary the bugs were – on enterprise level software that customers were paying six or seven figures to use.”He thought it couldn’t be this easy to find bugs in software that employed a 15 strong security team and hundreds of really smart software developers. “So after several months of just watching us pay these hackers to hack us, and seeing how much money they were making (this was around the time I wanted to buy my first house and start a family with my wife), I thought, Okay, well, what if I try to do this on the side, and maybe make enough to supplement the down payment on our home?”He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
It wasn’t until he was at university, around 2010, that he learned cybersecurity existed, and he began to be curious, even though the university had no cybersecurity course. He checked out a couple of SANS courses. “They were out of my budget, but I found a software development internship where one of the projects was security development. That’s where I really understood that cybersecurity was an interesting field – there was a sort of cat and mouse intrigue to it.”But even into his early career, there was no plan to focus on security. He graduated university with a computer science degree, got a first entry level software job, and still had no idea that he would go into security, never mind become a computer hacker. “I just wanted to be an engineer.” It wasn’t until 2016 that he got his first security-related job, and another three years before he started his hacking career.“I was working on the application security team at New Relic. Previous work had mostly been in vulnerability management, so I still didn’t understand hacking. But part of my job was working with our bug bounty program, where we were paying good money for researchers to find bugs on our platform. I was astonished at how simple and elementary the bugs were – on enterprise level software that customers were paying six or seven figures to use.”He thought it couldn’t be this easy to find bugs in software that employed a 15 strong security team and hundreds of really smart software developers. “So after several months of just watching us pay these hackers to hack us, and seeing how much money they were making (this was around the time I wanted to buy my first house and start a family with my wife), I thought, Okay, well, what if I try to do this on the side, and maybe make enough to supplement the down payment on our home?”He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
But even into his early career, there was no plan to focus on security. He graduated university with a computer science degree, got a first entry level software job, and still had no idea that he would go into security, never mind become a computer hacker. “I just wanted to be an engineer.” It wasn’t until 2016 that he got his first security-related job, and another three years before he started his hacking career.“I was working on the application security team at New Relic. Previous work had mostly been in vulnerability management, so I still didn’t understand hacking. But part of my job was working with our bug bounty program, where we were paying good money for researchers to find bugs on our platform. I was astonished at how simple and elementary the bugs were – on enterprise level software that customers were paying six or seven figures to use.”He thought it couldn’t be this easy to find bugs in software that employed a 15 strong security team and hundreds of really smart software developers. “So after several months of just watching us pay these hackers to hack us, and seeing how much money they were making (this was around the time I wanted to buy my first house and start a family with my wife), I thought, Okay, well, what if I try to do this on the side, and maybe make enough to supplement the down payment on our home?”He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
“I was working on the application security team at New Relic. Previous work had mostly been in vulnerability management, so I still didn’t understand hacking. But part of my job was working with our bug bounty program, where we were paying good money for researchers to find bugs on our platform. I was astonished at how simple and elementary the bugs were – on enterprise level software that customers were paying six or seven figures to use.”He thought it couldn’t be this easy to find bugs in software that employed a 15 strong security team and hundreds of really smart software developers. “So after several months of just watching us pay these hackers to hack us, and seeing how much money they were making (this was around the time I wanted to buy my first house and start a family with my wife), I thought, Okay, well, what if I try to do this on the side, and maybe make enough to supplement the down payment on our home?”He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
He thought it couldn’t be this easy to find bugs in software that employed a 15 strong security team and hundreds of really smart software developers. “So after several months of just watching us pay these hackers to hack us, and seeing how much money they were making (this was around the time I wanted to buy my first house and start a family with my wife), I thought, Okay, well, what if I try to do this on the side, and maybe make enough to supplement the down payment on our home?”He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”MotivationDay’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
Day’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”The contradiction that is Douglas DayDay became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).SummaryIt’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”Related:Hacker Conversations: McKenzie Wark, Author of A Hacker ManifestoRelated:Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing HarmRelated:Hacker Conversations: Inside the Mind of Daniel Kelley, ex-BlackhatRelated:Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
Source: SecurityWeek
