Hacker makes US$100,000 a year as a 'bug bounty hunter’
Jobert Abma's HackerOne hunts software holes and counts the US Department of Defence, Twitter, Yahoo, and Uber among its customers
Jobert Abma, the 25-year-old co-founder of a hot start-up called HackerOne, has been breaking into computers since he was 13.
And he's been been getting into hacking scrapes with his co-founder and best friend Michiel Prins for almost as long.
Growing up in the Netherlands, Abma gave Prins an unusual graduation present: the user name and password to a local TV station that did a regular news broadcast about the school.
The duo then took control of the TV station and ran their own broadcast on live TV instead.
"The TV station was not amused," Abma says.
The teachers blamed Prins, who was a year older than Abma, for the hack, and "he never told them that I was to blame," Abma says. Prins wound up having to do 25 hours of community service washing windows, but "that’s what best friends are for."
The two were so good at hacking that Abma's internet provider noticed. It sent a letter to his parents saying, "We think you have a virus installed on your computer because there's all this weird traffic coming from your systems. My parents were like, 'We don’t have a virus. We have a son,'" Abma recalls.
But the turning point for the pair came when they were in college together at Hanze University of Applied Sciences in the Netherlands.
During Abma's freshman year, the two were looking into the software the school used to manage homework assignments and grades. They found a hole that allowed them to access everyone's grades.
They told the software vendor about the hole and never heard back, Abma recalls. (As a rule, software companies don't automatically respond to every unknown person who contacts them claiming to have found a bug.)
So they reported the hole to the university. The school contacted the company and it fixed the hole. The university was so impressed, it hired the pair to do a bigger vulnerability test on that software for the university.
"We made so much money on that contract that we could pay for our college tuition," he says. "We were going to college and at the same time working for the university."
Hanze loved their work and published their research. The software company, he recalls was less than pleased. "We got a cease-and-desist letter."
Making $10,000 a week in college
Because of all of this, and the potential trouble they could get in, "our parents forced us to start a company," he said.
But getting customers was a struggle at first. "As you can imagine, no one is going to trust two college kids with their security," Abma says.
So, they came up with a challenge, telling prospects that if they couldn't break into the company within 60 minutes they would buy the whole company cake.
"But if we can hack into the company, then we want to have a meeting and talk about what was wrong and see how we can help you," he says.
People loved the cake challenge. "We spent our nights and weekend hacking and it was the best introduction we ever had to a lot of big companies in the Netherlands," he says.
Soon they had contracts from the government, large banks, and insurance companies.
"That was a very exciting time. We were 19 and 20 years old. And we were making roughly US$10,000 a week just the two of us," he says. "For two college kids, that was a very large amount of money."
Inspiration for HackerOne
With this background, the two moved to San Francisco and co-founded HackerOne along with Merijn Terheggen and Alex Rice, the former head of product security at Facebook.
HackerOne is a website where companies can ask hackers to attack them, and then pay fees based on the holes found. The scarier the hole, the bigger the fee. (HackerOne takes a 20 per cent cut.)
These are called "bug bounty" programs.
The idea is to put good-guy hackers on the company's payroll so they can find problems before the bad guys do.
Many big tech companies run their own bug bounty programs, like Facebook, Google, Microsoft, Mozilla, Uber, Yahoo.
But HackerOne gives any company access to a screened pool of qualified, safe hackers. It also offers software that allows them to manage any software holes the hackers find so they can fix them. Its customers include everyone from big tech companies to start-ups, including the US Department of Defence, GM, Slack, Twitter, Yahoo, and Uber.
US$7 million in bounties paid
HackerOne has helped companies discover 21,000 verified vulnerabilities since it was founded in 2012 and it has paid out over US$7 million in that time, it says.
It's growing like crazy as companies realise the value of having access to their own friendly army of hackers.
The start-up has 500 customers and about about 50 employees and has raised US$34 million in funding.
That means the amount of money hackers earn via the site is accelerating. For instance, it only took 12 weeks for hackers to earn the last US$1 million worth of bounties. HackerOne had paid out US$6 million in bounties in February and that number was up to US$7 million by April.
HackerOne is not the only bug bounty start-up. Bugcrowd, CrowdSecurity, and Synack are some others.
However, HackerOne gained some notice when it landed Marten Mickos as CEO last year. He's well known in the software world a the former CEO of Eucalyptus and MySQL, and he sold both of those companies for big bucks.
An extra $80,000 this year
Even though Abma has a day job as a co-founder of HackerOne, he's still a hacker at heart.
He still spends some nights and weekends participating in the bug bounty programs. Most companies pay between US$500 and US$1,000 per qualified hole found.
But fees can go far higher. Google, for instance, pays up to US$20,000 for the nastiest bugs. Others pay even more.
Abma has made an extra US$80,000 in the last 8 months on bug bounties, he says.
His goal is to earn an extra US$100,000 in 2016, which he's on track to do, he says.
His average bounty is US$4,000 per bug, with his largest payout being US$30,000, he tells us. Those are some seriously nasty holes.
There are 2,600 hackers in the system who have found at least one qualified bug, HackerOne says, and Abma says he's not one of the top 100. He says he ranks in the top 3 per cent.
That means that there are quite a few bug bounty hackers earning more.
"There are some hackers making US$200,000 a year," Abma says, and about 20 making US$100,000 annually, he says. "I know someone who is going for US$500,000 this year as his personal goal. He’s capable."
Most of these hackers are not doing bounties as their full-time gig either, but they have "a normal day job. Most of them are in tech, they are a software engineer or do computer security. They do this as a second income. It's a very nice addition to most people’s salaries."
For Abma, it's all about helping companies while helping others earn extra money while enjoying the extra cash himself.
"I can buy an upgrade to business class when I travel, dine very luxuriously, and my wedding ring was slightly more expensive than I would otherwise be able to pay," he says.
"Some people use it to pay for their college tuition or to finance their mortgage. We're normal people and hackers are super important to the future of the internet," he says.