IT’S 3 AM, and his eyes are almost closed. The pack of gummy bears on his desk is empty. So’s the Chinese takeout box. Romanian white hat hacker Alex Coltuneac has had three hours of sleep tonight. And last night. And the night before that. He’s busy trying to find a vulnerability in YouTube live chat, which he plans to report to the company and hopefully get some money in return. None of the bugs he has discovered in the past few days electrifies him, so he keeps digging.
In the past four years, Coltuneac has gotten bug bounty payments from Google, Facebook, Microsoft, Adobe, Yahoo, eBay, and PayPal for flaws he reported. Such bounty programs are a chance for Eastern European hackers like him to pursue a legitimate career in cybersecurity.
And he’s only 19 years old. In a country better known for cybercrime, the teenager is part of small but growing cohort of hackers who are deciding to play it nice. This is a departure for the hacking community of Romania, known for such hits as the hackers Hackerville and Guccifer, and fraudsters who steal money from American bank accounts, perpetrate eBay frauds, and land themselves on the FBI’s most wanted list.
Coltuneac is a freshman at the Babes-Bolyai University in Cluj-Napoca, where he learns Computer Science taught in English. Raised by a family who emphasized honest values, he started using a computer when his was 6. First, he taught himself how to play games, but as he got older he began to see the computer’s potential as a tool to make money. He spent his early teenage years watching fellow Romanian hackers make astounding sums of money selling exploits on the black market. They were able to rake in thousands of US dollars with just a few clicks, far more than Coltuneac’s parents made in a month. He was a good kid, from a good family. He didn’t want to join them. But he did want to pay for college.
The allure of that life was powerful.
Which is why he was so grateful to find out about bug bounty programs when he was 15. They pay enough to keep his conscience clear and his bank account full. Bounties cover the cost his education and living expenses, so “there’s no excuse to break the law,” he said.
Coltuneac won’t say how much he earns as a vulnerability hunter, yet gifted white hat hackers doing the same kind of job brag about making in a lucky month about $6,000. That’s how much an ordinary Romanian earns in a year. The average take home pay in the country was about $520 a month this March, one of the lowest in the European Union.
On the white market, a flaw found and reported legitimately is priced at a few hundred dollars, enough for Coltuneac to pay his rent this month. Sensitive ones are often rewarded with several thousand dollars. In very few cases, the bounty exceeds $100,000. He’s constantly hoping to find one of those. And that sum is still far less than what he would get if he sold the same vulnerabilities on the gray or black markets. (Gray markets sell exploits to nations and corporations to use against their foe; black markets sell to the highest bidder, often criminals.) Zerodium, a gray hat vulnerability broker working with law enforcement and intelligence agencies, awards a hacker up to $500,000 for a high-risk bug with fully functional exploit.
Coltuneac started hunting vulnerabilities when he was 15, after visiting a Romanian cybersecurity forum, in his free time after school. Like most Romanian hackers, the teen is self taught. Soon, he got his first few hundred dollars from Google, and used them to buy himself a brand new computer. His desktop was dead slow.
“I got lucky. I found a sensitive file. I used brute force,” he said.
The tech giant is among the companies he closely monitors for bug bounty programs. He has recently found an LFI vulnerability and several XSS flaws in Google FeedBurner. Last year alone, Google awarded over $2 million to security researchers globally, and since 2010, when it began its bug bounty program, it has paid a total of $6 million. For 2015, Google highlighted Romania as among the top countries bug bounties were paid out to.
Coltuneac has also made it to Microsoft’s Bounty Hunters: The Honor Roll. This spring he found an XSS vuln in their OAuth interface. Microsoft is constantly improving its bounty program, and last year, the company included rewards for flaws found in Azure, ASP.NET, .NET Core runtime and the Edge browser.
“[W]e added Hyper-V escapes to the Mitigation Bypass Bounty list, paying up to $100,000, and in August 2015 we increased the Bounty for Defense from $50,000 to $100,000 in order to bring security defense research up to the same level as vulnerability research,” Chris Betz, Senior Director, Microsoft Security Response Center told WIRED.
The company did not provide WIRED numbers concerning the total amount of money paid on bug bounty programs. However, according to data available online, Microsoft has given white hat hackers on the Honor Roll a total of $650,000 on mitigation bypass submissions, since 2013. Another $110,000 went last year for flaws reported in Edge technical preview.
“The average payout for Europe-based researchers is $6,000, including a $100,000 bounty recently awarded to researchers based in Germany,” said Betz.
Coltuneac is industrious when it comes to finding a pay day. Along with looking at companies directly, he also uses HackerOne and Bugcrowd, platforms that help organizations set up bug bounty programs. Some of the top researchers working on the two platforms are based in Eastern Europe, according to Kymberlee Price, Bugcrowd’s Senior Director of Researcher Operations. This is ironic in some ways, because they are helping to improve websites that they often can’t afford to use themselves, in many cases–Tesla Motor’s web site, for instance.
Eastern European countries, Romania included, have some of the highest average reputation scores for hackers in Europe, calculated based on submissions to HackerOne, according to co-founder Michiel Prins. “We have well over 200 hackers from Eastern Europe who have earned bounties, some are even in the top 50,” he told WIRED. HackerOne customers have to date fixed over 20,000 security vulnerabilities and paid 2,500 researchers over $6.5 million for their contributions, according to Prins.
With bug bounty programs, companies across all industries have started offering money instead of T-shirts, USB sticks or plain ignorance when a white hat hacker finds a flaw in their products. This is wonderful news for everyone, as WIRED has explained, as it incentivizes better security and helps keep talented hackers from going over to the dark side. But more specifically, for Alex Coltuneac and Eastern European security enthusiasts who formerly had only nefarious hacking opportunities in their native lands, this is great news. More bug bounty opportunities means more cash and more sleepless nights. And no reason to consider criminal hacking.
It’s 7 a.m. in Cluj-Napoca and Coltuneac is sipping his coffee. He’s ready to go to class. “Bug hunting is awesome, but school comes first.”