Evolving With AI: A Security Researcher’s Bug Bounty Career | HackerOne

It's a Tuesday afternoon near Mount Hood, Oregon. Douglas Day is making lunch for his kids. In his home office, a Discord notification sits unread: the bot he spent two months building has flagged a potential security vulnerability overnight in software used by major enterprises. He'll get to it. Right now, lunch.

Douglas often reflected on his childhood, on what it felt like to grow up close to, but not quite with, his two hardworking parents. They loved him deeply, but their jobs kept them away during the day. If he could, he wanted to approach parenthood differently.

This isn't a vacation day. It's another typical Tuesday that the bug bounty hunter, HackerOne security researcher, and father spent six years engineering.

Not the Story You'd Expect

Ask Douglas what drew him to security research and you won't hear the quintessential origin story of a prodigy reverse-engineering video games in a basement. He was a normal kid who liked sci-fi, took a robotics class in high school, went to college for computer science, and worked his way into application security over several years and across three companies.

Then he landed at New Relic, where part of his job was reviewing incoming bug bounty reports. He expected sophisticated work. What he got instead were textbook vulnerabilities in enterprise software that customers were paying six and seven figures to use. He kept waiting for the complex bugs. They didn't come. And somewhere in that waiting, a thought formed: he had learned about these kinds of bugs in college. He could find these. And someone would pay him for it.

In October 2018, with a house down payment on the horizon, he created a HackerOne account, figuring he might make a few thousand dollars over the year. Two months later, he submitted his first valid vulnerability. The bounty was $200, the first money he'd ever earned that wasn't tied to hours logged for an employer. He had found a problem, reported it, and been paid for the output. It was his first taste of freedom.

Douglas at a Live Hacking Event — Douglas collaborating during a Live Hacking Event in Las Vegas

His income grew quickly after that. What began as work in the evenings and on Saturday mornings soon surpassed his full-time salary. Eventually, after becoming Elastic’s top-ranked external security researcher, he joined the company and spent four and a half years running the very program he had once contributed to. It was the ideal version of the work he’d been doing, yet he was still doing it for someone else.

The Leap

Going independent was a different calculation. Douglas was the sole income earner in his household, and health insurance alone would run roughly $1,500 a month. So he'd spent years building a runway: enough financial cushion to go nearly a decade without earning before touching retirement savings.

He was already deep into it, evenings, weekends, the runway quietly growing, when he picked up Courage Is Calling by Ryan Holiday. One idea stopped him: that the pain of not taking the jump is far greater than the pain of not trying. He'd been living that tension for years without words to describe it.

Then, in September of 2025, he went to Miami for a HackerOne live hacking event and won first place. The book told him what the fear was costing him. The event in Miami told him what he was capable of. Last fall, he cut the cord.

What He Was Really Building

Going fully independent didn't just buy Douglas his Tuesdays, it bought him extra time to build something that might not pay off for a year; the kind of investment no employer would sanction and no salaried schedule would allow.

Last November, he built an automated recon engine that scans bug bounty programs while he sleeps and pings him on Discord in the morning when it finds something worth looking at. It's early. The returns are modest. But when the bot surfaced its first valid vulnerability in December, Douglas tweeted about it.

"I've made several five-figure bounties," he said, "but this felt more special than all of them. It was the first found autonomously."

It was, in other words, another $200 moment. His bot had found something on his behalf. And someone was willing to pay him for it.

He's also building a SaaS product aimed at parents. His ideal business, he says, is one where all the employees are robots and AI, no managing people, just systems doing work. The goal is more Tuesdays at the park with his kids.

King of Collab

None of this means Douglas works in isolation. In fact, he holds a record nine Best Collaboration awards at HackerOne live hacking events. His friend's security research podcast once titled an episode simply, Douglasday: King of Collab.

Bug bounty is competitive by nature. If you're the second person to find a vulnerability, you get nothing, and working alone while racing the clock is stressful. But get on a Discord call with a friend, go off-topic for a while, and then stumble onto something together, and it becomes something else entirely.

Douglas holding his championship belt in Miami — Douglas holds his championship belt during the Live Hacking Event in Miami

That's how real friendships in the industry get built, Douglas says. He knows when to work alone and proved it by going solo to win his heavyweight-style championship belt. But collaboration, for him, is what keeps the work worth doing.

The Advice He'd Give His Kids

His kids are too young to understand what he does. They don't yet grasp what it means that their dad is home on a Tuesday.

He remembers ordinary moments from his own childhood that didn't feel significant at the time and turned out to be everything. The moments that register aren't usually the ones you plan.

When asked what he'd tell his kids, or anyone coming up in security research, his answer is less technical than you might expect. If you can solve a problem, he says, there's money in that, whether it's finding vulnerabilities or picking up dog poop in someone's yard. The specific skill matters less than the willingness to adapt.

Security research has forced Douglas to evolve constantly; attack surfaces shift, the landscape changes, and you change with it or fall behind. He grew up in a house where the safe route was the only route anyone talked about, and he followed it long enough to understand why. Getting off it took a $200 bounty, six years of nights and weekends, a financial runway built over years of careful earning, a book about courage, and a championship belt.

Ready to find your own path in security research? Explore opportunities with HackerOne.