Companies hire “good guy” hackers to halt destructive hacking

By Kallyn Hobmann



Samuel Curry is hunched over the computer in his bedroom in his parents’ house in Omaha, Nebraska. The sun is shining outside as he starts his work day with the rest of the world around 8 a.m. His tasks vary each today, but right now he is trying to hack into Yahoo’s small business platform, and he hits a breakthrough. Using a fake username and a lost-password request, he gets access to someone's account. Pretty soon, he realizes he can use this trick to access anyone's account.


"The moment where you're able to actually actualize the security vulnerability,” said Curry, 19, “it's a pretty massive rush and makes everything worth it.”


Curry is a hacker, but not the bad-guy kind. He’s a "white-hat hacker." After finding the system's security flaw, he reported it to Yahoo and was paid $4,000. Yahoo fixed the problem and was able protect its users from future attacks.


White-hat hacking is also known as ethical hacking. Its purpose: to find and report vulnerable pieces in an organization’s system so that the organization can fix the problem, Curry said.


Companies hire white-hat hackers to find flaws in their system before black-hat hackers, or those trying to break into the system for personal benefit, can. Companies such as Google and Apple pay up to $200,000 for a single hack. Intel and Microsoft offer as much as $250,000. These payments are called "bug bounties.”


In the past 12 months working 20 hours a week, Curry made around $100,000. That’s double the amount the average 45-50 year old makes in a year.


Ethical hacking plays into the bigger picture of cybersecurity as a whole. Cybersecurity can be defined as “the practice of protecting systems, networks, and programs from digital attacks.”  In a way, it is a race to see if the white-hat hackers or the black-hat hackers can find a system’s flaws first.


"Someone once said that cybersecurity is simply the process of lowering the return of investment for attackers,” Curry said. “It's impossible for anything to be completely secure, so for now it's just a game of cat and mouse.”


Curry is a self-taught hacker, but more and more high schools and colleges are offering students opportunities to train and educate themselves.


The White Hat is a club at Cal Poly, San Luis Obispo, consisting of around forty cyber-oriented students. The club’s purpose is to “provide a safe place to learn about and practice the principles of ethical hacking, security and privacy,” according to club officer Sarah Samora.

According to its website, The White Hat’s purpose is this: “As a club, we strive to make cybersecurity concepts and ethical hacking practices and training available and accessible to everyone.”


After a few years of IT-security experience, hackers can earn the Certified Ethical Hacker (CEH) certification through the International Council of Election Commerce Consultants (EC-Council) and can market themselves as certified ethical hackers to companies. The certification trains ethical hackers how to think like black-hat hackers in order to find the flaws they will look for.


Another resource is Bugcrowd, the number one crowdsourced security platform. It helps enterprise organizations manage bug bounties and manage the vulnerabilities in their systems with a team of experienced hackers. Bugcrowd University provides training for those seeking to hone their skills within the white-hat hacker community through online videos and labs.


The California Cybersecurity Institute (CCI) is teamed up with Bugcrowd for two years, starting back in July 2018, to conduct research and produce products to assist organizations with cybersecurity issues. This partnership simultaneously provides hands-on experience for Cal Poly students through the CCI.

In a statement on Cal Poly’s website, Asish Gupta, CEO of Bugcrowd, said Bugcrowd is “proud to work with them to train the next generation of cyber defenders and help fund the California Cybersecurity Institute to build a world-class training and testing ground for security research.”

Related Content