“For the last five years,” he said (that is, starting in his mid-to-late teens), “I have focused on performing vulnerability assessments on some of the world’s biggest companies, mainly Meta and Google, and entering hacking competitions. I also currently work as a security consultant to start-up companies.”
This journey started early in his life. He began programming when he was twelve years old – but with no employment available for someone not yet in his teens, “I followed a path of general hacking and penetration testing. It wasn’t easy to do this legally. There wasn’t the same attitude toward whitehat research as there is today.” And there were no bug bounty programs to formalize the legality.
Legal pressures are something all researchers must consider. While most accept that conditions have improved, problems still exist today. As an example, in October 2021, a journalist with the Post-Dispatch discovered that teachers’ social security numbers were embedded in plain text in the html source code of a Missouri state website. The journalist took the responsible route. He verified that a few of the numbers he found were genuine SSNs, and then alerted the state authorities. But rather than a reward, as would happen in a bug bounty program, the state governor ordered an investigation by state troopers with a view to considering criminal charges (for hacking) against the journalist.
