Congratulations, Cosmin! The world’s seventh million-dollar bug bounty hacker
The entire HackerOne team is beyond excited that the ranks of seven-figure-earning hackers have risen to eight this month.
Cosmin (@inhibitor181) is the seventh to join this talented group of hackers, proving to the world that the concept of hacking as a viable career has become a reality. Not only are more hackers earning most or all of their income from hacking, but they’re also making a good living doing it. Besides the eight hackers passing the $1 million earnings milestone, twelve more hit $500,000 in lifetime earnings and 146 earned $100,000, up from 50 last year. That puts a hacking career well above today’s global average IT salary of $89,732. Read more in The 2020 Hacker Report, launched today!
We sat down with Cosmin to learn how he got started, what contributed to his success, and his views on the industry’s present and future. Congratulations, Cosmin!
Q: Tell us a little about yourself! What’s your handle? Where are you from/living?
A: Hey! My name is Cosmin and my hacker handle is inhibitor181. I am 30 years old, I was born and raised in Romania, Bucharest and have been living with my wife and 2 dogs in Germany for the past 6 years.
Q: How did you first get into hacking?
A: Totally by accident; it’s kind of a funny story. While working as a dev, we were allowed to pick for our future development an event or course. I, with a few colleagues, picked a practical hacking seminar in Hamburg and there I found out about the existence of bug bounty platforms. Quickly enough, I have made an account, was miserable at first, but slowly, slowly gained more experience and now I have been doing it full-time for almost 2 years.
Q: What does an average day look like for you?
A: I usually work while my wife works and she has a different schedule. Let’s say I wake up, have breakfast, start hacking, I take my dogs out for a nice break and then I come back to continue hacking if I am still in the mood. If I am not in the mood or tired, I do something else, usually end up playing rocket league with some friends.
Q: What motivates you to hack?
A: There are quite a few factors here and the combination is what it’s important for me:
The steep learning curve and never-ending process of learning
The financial winnings
The live events (I have a very competitive nature)
In the end, I really love spending my time hacking and I enjoy trying to break other people’s work to make it better for the future for everybody
Q: Do you have a favorite industry/company you concentrate on?
A: Yes, I have a favorite program, a private one that usually eats about 70-80% of my time. Basically, if I am not going to a live hacking event I usually hack there. I really like very deep apps where you can learn from failures and from everything you do or read. When the pieces of the puzzle start coming together it’s very enjoyable and fulfilling.
Q: What’s been your biggest win in bug bounty to date?
A: My favorite program had a 4x promo for criticals for just 24 hours with another 48 hours notice beforehand and I was in the middle of a breakthrough and research I was already doing for the last week. It was very lucky and I had managed to get 3 criticals in, gaining 3 x $28k
Q: Which project has presented you with your greatest challenge so far?
A: Very hard to say as each project is unique, has its own specific challenges and it’s shifting very often. I have various projects that I cannot make myself stick to, start or finish them. So with the risk of sounding extremely broad, those are the ones that are the most challenging, the ones that you cannot even start.
Q: In your opinion, which industry is a particularly interesting target for hackers and why?
A: Industries that handle PII and financial institutions. In my opinion, those 2 are the critical parts in the online industry that has to be as secure as possible.
Q: What do you spend your bounty money on?
A: This is my daily job, we spend it on everything we want. We do not have any exquisite hobbies or anything that eats a big chunk of the money we have
Q: What do you think is the biggest online risk facing businesses and ordinary people?
A: In my opinion identity theft is the biggest risk. Almost there is also the risk of losing your life savings or money. When one of those things happens, in order to “fix it”, if possible, you will need to spend incredible amounts of energy and time that will definitely affect you financially, mentally and physically.
Q: Do you think businesses are becoming more open to hacker-powered security?
A: Definitely, businesses both big and small seem to be a lot more open to hacker-powered security and start seeing its advantages. They are also more willing to invest more time and money into them in order to attract more experienced hackers and gain the maximum from it.
Q: What advice would you give to aspiring ethical hackers?
A: First, to realize that this takes time, it’s an incredibly steep learning curve! Then, be prepared to invest time into it. If you have those 2 in mind and you go down this path, you will definitely succeed. Read the documentation, learn to write your own tools, read security articles, invest time also in research, learn to write your reports and always approach your target tactically and with the strategy that fits you well. Also, it’s very important to realize that you and your mindset are unique, so don’t follow what X or Y says. Try to grab from everybody little bits, analyze them and then integrate them in your workflow only if it suits you.
The 7th Annual Hacker-Powered Security Report