A growing roster of white hat hackers earn thousands finding chinks in the digital armor of the US government and companies such as Apple and Google

Nathaniel Wakelam became a bounty hunter when he was 18.

Now 21, it is his full time job. This month so far he has earned $21,150, in installments: he counted them out over the phone 400, plus 400, plus 300, plus 100, plus 1,000, plus 3,000, plus 4,000

Wakelams month-to-month profit varies considerably, but in an average year, he said, he can comfortably clear $250,000, working from his home in Melbourne or on his Macbook in coffee shops or nearby bars.

He saves a lot of what he earns, and spends philanthropically; he runs a charity which links young hackers with mentors. Last year, he bankrolled a trip for six people to a conference in New Zealand, using his earnings from just 48 hours of work. If you are able to get money doing something like that and it comes easily, I think youve got an obligation to help people around you, he said.

Wakelam is one of a new generation of so-called white hat hackers. Unlike black hat hackers who hack for criminal, nefarious, or destructive purposes white-hat hackers make their living hunting for chinks in the digital armor of large companies in order to report them and collect an often generous reward.

There is no shortage of money to be made. This month, Apple joined the ranks of Facebook, Microsoft, Adobe, Tesla, Yahoo, and Google when it became the latest big tech firm to instigate a bug bounty program, offering prizes of up to $200,000 to bounty hunters who discover security vulnerabilities.

Its not just private companies that are using bounty hunters to shore up their information security. The US Department of Defense (DoD) launched a pilot program in March called Hack the Pentagon. The first exploit was found, Rice said, within 15 minutes of the programs launch. All in all, 58 participating hackers found 134 vulnerabilities in just three weeks, and the DoD paid out more than $70,000 in bounties.

One of the recipients was David Dworken. He grew up in north Virginia, outside Washington DC, graduated from high school in June, and was invited to the Pentagon by Secretary of Defense Ash Carter after the Hack the Pentagon program: Dworken found six vulnerabilities on the first day of the pilot, working mainly in free periods or after school.

Dworkens first hack was of his schools website, when he was 16. Within two years he was collecting bounties: around $10,000 so far from Uber, and 1.3m air miles from United Airlines. Some of the winnings hes put aside, he said, and some hes spent on upgrading his computer.

The
The US defense department launched a pilot program in March called Hack the Pentagon. The first bug was found within 15 minutes. Photograph: AFP/Getty Images

Facebook was an early adopter of the idea of bug bounties. Their program, launched in 2011, received more than 13,000 submissions in 2015 alone, according to a February blogpost, and has given out more than $4.3m to more than 800 bounty hunters in 127 countries since its inception, almost $1m of which was in 2015 alone. In May, Facebook paid a $10,000 reward to a 10-year-old Finnish schoolboy who found a vulnerability in Instagrams code.

The total size of the marketplace for bug bounties is unknown, in part because the programs are a mishmash of private programs, some of which dont release data. Facebook, like many companies, also sometimes use a third party in their case, a company called Bugcrowd to connect bounty payments to hunters. These third-party companies act as brokers.

Bugcrowd runs 286 programs, paying out more than $2m on more than 50,000 submissions since 2013; another, Exodus Intelligence, recently announced a $500,000 bounty for Apple hacks and Zerodium, a broker which specializes in so-called zero-day exploits, paid out $1m in 2015 for a working attack on Apples operating system. HackerOne, another big player who helped organize the Hack the Pentagon event, currently hosts more than 550 programs; a spokesperson said the company had tens of thousands of would-be bounty hunters signed up.

Hackers have a natural curiosity, said Alex Rice, a former head of product security at Facebook and co-founder and CTO of HackerOne. He said that, despite Hollywood depictions, all but a small minority in the information security community take a very negative view on criminal behavior. We dont ask every locksmith how they feel about burglars.

You think of hacking as being this very exclusive skill set, he said, but the reality is that data software security is in a sorry state, and if you ask most engineers how would you break it, if properly incentivized most of them will be able to figure out how to do it.

Of the programs posted on HackerOne, Rice said, a vulnerability was found within the first 24 hours in 77% of cases. Not one single site or piece of software has ever survived longer than a week under the scrutiny of his bounty hunters.

Finding a vulnerability or hack feels exciting, because you are the first person in the world to discover it. It feels good to know that you are somewhere no one else has been, said Francisco Correa, a 30-year-old bounty hunter who also works with HackerOne.

Correa, who has a beachfront apartment in Chile which hes fitted out with fiberoptic internet, began working four years ago with Googles bug bounty program, and was quickly finding vulnerabilities for Adobe and Microsoft as well. I was never a normal kid in school, he said. I got kicked out of six different schools. I was never one of those people who are ok following orders.

For Wakelam, the appeal lies in the problem-solving it always has been.

I really enjoy breaking into large networks, he said. Its something that I can spend 24 hours on. In fact, he added, he had been doing just that for the 24 hours preceding his conversation with the Guardian for a profit of $3,000.

I can do it on my own time, he said. I dont have a boss. I can go to sleep at six in the morning and do what I want to do, as long as Im delivering bugs on a time Im happy with.

Read more: www.theguardian.com