Shortly after Christmas, 2011, Ruby Nealon sold the Nintendo Wii games console his mother had bought him so he could fund an Open University course.
He was 11 and it was the start of his unconventional education as a computer prodigy, which led him to drop out of school and start a full-time degree at 14.
Two years later, in 2016, when Nealon was just 16 and in the second year of his computer science degree, he made international news for hacking into a gaming platform.
The incident caught the attention of the cyber security world and he was soon approached by the chief executive of a US company called HackerOne, which specialises in breaking into the computer systems of major firms including Uber, Facebook, Google, Dyson, Microsoft and MasterCard.
It does this through “bug bounty” programmes, where companies invite hackers to attack them to find critical problems in their software in return for a reward.
“The problems can vary from small to large issues: the key thing is that regardless of the impact they would have, they’re caught before they can be used maliciously,” says Jack Whitton, a security researcher at Facebook and former bounty hunter.
Nealon is one of 100,000 hackers in HackerOne’s network of self-employed security experts, the youngest of whom is 10 years old.
They are paid monetary rewards of anything from a few hundred to tens of thousands of dollars, depending on the severity of their findings.
Within months of joining HackerOne, Nealon had been paid $50,000. One of his biggest payouts was $13,000 from Airbnb, which he earnt in a day for finding multiple bugs that could have let a cyber criminal take over someone else’s account, charge their bookings to other businesses, and set up an account as an underage person.
“This is just in my spare time,” he says. “I don’t consider bug bounties work. Most of the hacking I do is a bit of a game. I see the money as an added bonus.”
Marten Mickos, chief executive of HackerOne, says, “The hackers we work with are young, skilled, and for them the internet is reality.” He adds that they can think creatively and spot problems traditional security professionals might miss.
“Even the Department of Defense and the Pentagon [both HackerOne customers], some of the strongest organisations with the most powerful weapons, cannot see their own flaws,” says Mickos. “You’ll always need the objective outside view, because most people are blind to their own typos.”
“We’re basically trying to clean up the internet and save people’s data,” says Sean Roesner, another HackerOne bounty hunter.
“It’s a crazy world out there and I’ve seen some serious vulnerabilities that I couldn’t believe existed. You wonder what else is out there – but not everyone has a bug bounty so you can’t test them.”
Roesner recently discovered a set of problems in a number of firms’ computers that could have let cyber criminals steal the personal information of hundreds of millions of people.
“I could have taken up to 282 million people’s details including their emails, date of birth, names, some phone numbers and passwords. Because I got to it first and the companies fixed the problems, I saved people’s data