He is the seventh to do so on the HackerOne platform.
The ranks of seven-figure-earning hackers on the HackerOne bug bounty platform have risen to eight in February.
Cosmin (@inhibitor181) is the seventh to join this talented group of hackers, proving that ethical hacking can be a viable career.
Besides the eight hackers passing the US$1 million earnings milestone, 12 more hit US$500,000 in lifetime earnings and 146 earned US$100,000, up from 50 last year. That puts a hacking career well above today’s global average IT salary of US$89,732.
Cosmin shares his story with HackerOne here.
Q: Tell us a little about yourself! What’s your handle? Where are you from/living?
Hey! My name is Cosmin and my hacker handle is inhibitor181. I am 30 years old, I was born and raised in Romania, Bucharest and have been living with my wife and two dogs in Germany for the past 6 years.
Q: How did you first get into hacking?
Totally by accident; it’s kind of a funny story. While working as a dev, we were allowed to pick for our future development an event or course. I, with a few colleagues, picked a practical hacking seminar in Hamburg and there I found out about the existence of bug bounty platforms. Quickly enough, I created an account, was miserable at first, but slowly gained more experience and now I have been doing it full-time for almost two years.
Q: What does an average day look like for you?
I usually work while my wife works, and she has a different schedule. Let’s say I wake up, have breakfast, start hacking, I take my dogs out for a nice break and then I come back to continue hacking if I am still in the mood. If I am not in the mood or tired, I do something else, usually ending up playing rocket league with some friends.
Q: What motivates you to hack?
There are quite a few factors here and the combination is what is important for me:
- The steep learning curve and never-ending process of learning
- The financial winnings
- The ‘live’ events (I have a very competitive nature)
- In the end, I really love spending my time hacking and I enjoy trying to break other people’s work to make it better for the future for everybody
Q: Do you have a favourite industry/company you concentrate on?
Yes, I have a favourite program, a private one that usually eats about 70-80% of my time. Basically, if I am not going to a ‘live’ hacking event I usually hack there. I really like very deep apps where you can learn from failures and from everything you do or read. When the pieces of the puzzle start coming together it’s very enjoyable and fulfilling.
Q: What’s been your biggest win in bug bounty to date?
My favorite program had a 4x promo for criticals for just 24 hours with another 48 hours’ notice beforehand and I was in the middle of a breakthrough and research I was already doing for the last week. I was very lucky and I managed to get three criticals in, gaining 3 x US$28k.
Q: Which project has presented you with your greatest challenge so far?
Very hard to say as each project is unique, has its own specific challenges and it’s shifting very often. I have various projects that I cannot make myself stick to, start or finish them. So with the risk of sounding extremely broad, those are the ones that are the most challenging, the ones that you cannot even start.
Q: In your opinion, which industry is a particularly interesting target for hackers and why?
Industries that handle Personally Identifiable Information and financial institutions. In my opinion, those two are the critical parts in the online industry that has to be as secure as possible.
Q: What do you spend your bounty money on?
This is my daily job, we spend it on everything we want. We do not have any exquisite hobbies or anything that eats a big chunk of the money we have.
Q: What do you think is the biggest online risk facing businesses and ordinary people? In my opinion identity theft is the biggest risk. There is also the risk of losing your life savings or money. When one of those things happens, in order to “fix it”, if possible, you will need to spend incredible amounts of energy and time that will definitely affect you financially, mentally and physically.
Q: Do you think businesses are becoming more open to hacker-powered security?
Definitely, businesses both big and small seem to be a lot more open to hacker-powered security and are starting to see its advantages. They are also more willing to invest more time and money into them in order to attract more experienced hackers and gain the maximum from it.
Q: What advice would you give to aspiring ethical hackers?
First, to realize that this takes time, it’s an incredibly steep learning curve! Then, be prepared to invest time into it. If you have those two in mind and you go down this path, you will definitely succeed. Read the documentation, learn to write your own tools, read security articles, invest time also in research, learn to write your reports and always approach your target tactically and with the strategy that fits you well. Also, it’s very important to realize that you and your mindset are unique, so don’t follow what X or Y says. Try to grab from everybody little bits, analyze them and then integrate them in your workflow only if it suits you.