Tommy Devoss would describe finding a bug as a high like no other. We believe it; we’ve all seen the physical reaction hackers experience when the hours, days or weeks of work has paid off to reveal a new, critical, highly-priced, bug — goosebumps, flushed faces, cheers, hugs and back slaps to acknowledge that intense mix of surprise, joy and pride, not to mention knowing that you’ve potentially earned a years’ salary in a single pay-out. From that first remote code execution that he found twice in one week to becoming a million-dollar hacker in 2019, @dawgyg or Thomas “Tommy” DeVoss is a top hacker dedicated to making the internet safer.
Tommy was 9 when he learned the hacking skills that would change his life forever. Decades later, he’s one of the top hackers in the world and his passion for breaking things is as strong as ever. Ranked 20th on the all-time HackerOne leaderboard, this record-setting hacker has found 484 vulnerabilities to date, with an expertise — and an MVH title — on the Verizon Media program.
Beyond his day (and night!) job, he’s worked with press, podcasters, bloggers, and influencers around the world to share his story and showcase how hacking for good has changed his life. When he’s not finding crits, he can be found driving his classic Nissan Skyline.
Read on to learn more about the brains behind one of the top hackers on the HackerOne platform, and unpack his thinking behind bug bounty.
How did you come up with your HackerOne username?
No idea - started using it in 1997 replacing “nikeguy.”
How did you discover hacking?
EfNet on IRC in the 90s. The thought of being able to do anything I wanted online was a very alluring situation.
How did you get involved with bug hunting?
At school I would finish my work in ten minutes and spend the rest of the lesson playing on the computer. I was 10 or 11 when I stumbled across a chatroom whose members taught me how to hack - I was just a bored kid doing it for fun. I first got into trouble in high school and was ordered to stay away from computers, but I didn't. With others, I broke into secure government systems and was caught again and spent 4 years in prison. I was told if I got caught again then I wouldn't get out. In 2016 I discovered bug bounty programs and could return to the hobby I loved, but this time working for good.
What motivates you to hack and why do you hack for good through bug bounties?
Money is my main and biggest motivator. I make a lot more doing bug bounties than I could hope to make doing a normal day job.
What makes a program an exciting target?
Large scope and quicker payments. Even if the payments are a little lower, if companies can fix bugs fast and pay out fast then it's a good program, in my opinion.
What keeps you engaged in a program and what makes you disengage?
Quick turnarounds keep me engaged, and a program I can trust. Programs that seem to be doing questionable things, like marking bugs dupes of things found internally or taking months to fix and pay a bug will make me disengage.
How many programs do you focus on at once? Why?
Generally, I focus on 1-2 programs at once so that I can spend the proper time learning about the application, and seeing how it should be used to find ways to break it.
How do you prioritize which vulnerability types to go after based on the program?
It depends on how long I have been on the program. When it's a new program I find lower level bugs to report and gauge their response times and see how long it takes to fix and payout.
What do you wish every company knew before starting a bug bounty program?
I wish companies could view our time as valuable. Anything you can do to show that our time is not wasted and is valued will be beneficial to you as the program owner.
What are the pros and cons of working as a bug hunter on a platform like HackerOne?
The biggest pro is the protection that they can offer us. The Bug Bounty area is still very new, and there’s been many cases in the news over the years of people running their own programs without a platform and attempting to go after researchers for finding serious bugs in their products etc. When it comes to the companies that are using platforms like HackerOne, they do a very good job helping to make sure that they are run in a way that protects the researchers legally, as well as our time spent on the companies as well. The only con is the fact that so many people are now on HackerOne, that the competition for the bugs we are all looking for is getting that much harder. But this isn't even a really bad thing because it pushes all of us to become better and look for better bugs.
How do you see the bug bounty space evolving over the next 5-10 years?
More and more companies will be starting and running programs. The prices should go up as well as it becomes harder and harder to find the bugs.
As more things are connected to the internet, we will see more attacks on things in the real world. 25 years ago, when I started out we used to joke about causing real world damage; it wasn’t feasible then but it is now. We are connecting everything from cars to thermostats and this increases the danger of real world harm from computers. We are going to need a lot more security since most companies building IoT devices are not thinking about security - you think ‘who wants to hack my fridge?’ but that isn’t the issue - cybercriminals want to use that fridge as a stepping stone to gain wider access into networks and do far more damage than neglecting to inform you when the milk is out.
I like to think the defenders will win this fight, simply because there are so many of us now. While the media gives plenty of coverage to cybercriminals, making it look like they’re ahead, far less attention is given to those of us who fix things before they ever become an issue. In most cases of high profile breaches, if the company in question had a good defender on board, ensuring vulnerabilities are found and fixed and systems are updated, they often would have escaped the hack.
Criminals will continue to proliferate until we take security more seriously - we need to teach developers how to code securely. If coding courses don’t teach you to code in a secure way, everyone who goes through it will make the same problems and continue with the same insecure coding practices.
Do you have a mentor or someone in the community who has inspired you?
Mark Litchfield. The amount I have learned from him over the years has been invaluable. I would not be whereI am today without his teaching.
What advice would you give to the next generation of hackers?
Don't give up. Don't expect instant success. It takes a lot of time and effort to become successful in this, and even then you will need to put in even more time to stay at that level.