Ethical hackers taking bugs to the bank
These days, when an unexpected email turns up offering lots of cash, most people just assume it is a scam and delete it. But Mark Litchfield opened one such a message and it led him on a journey that, so far, has netted him about $1.5m (£1.15m) - all of it legitimate.
The email was from onetime web giant Yahoo, now owned by Verizon Media, and offered Mr Litchfield several thousand dollars as a reward for finding a bug in its website code. The email was a surprise because he had pretty much forgotten about finding the bug. "I submitted a bug to Yahoo and thought that was the end of it," he told BBC News. "And then I got this email saying, 'Hey, we've got some money for you. Do you want it?'"
"That's when I realised that there was money to be made in this." Yahoo, like a growing number of large companies, pays up when people find loopholes in its web code that could be exploited by malicious hackers. Through bitter experience, Yahoo has learned what happens when bugs are missed. In 2013 and 2014, it suffered two massive breaches. Data on more than one billion users went astray. It stepped up its bughunting efforts in the wake of those breaches - which is where Mr Litchfield and others like him come in. Those ethical hackers sign up with companies such as Hacker One, Bug Crowd, Synack and others who run the bug bounty programmes on behalf of companies.
And, according to Mr Litchfield, anyone can do it. "I can't code - at all," he said. "Yet I've managed to be extremely successful, so literally anyone could do this." Well, maybe.
Mr Litchfield may not code but he has other technical skills. He turned to bug hunting after years of working in the security industry, where he became an expert on the protocols that govern how computers swap data. Finding bugs in the way data is transported has netted him the bumper payouts.
For anyone looking to blaze a similar million-dollar trail or even just start a career in cyber-security, knowing that Mr Litchfield has decades of experience to call on can be disheartening. It was a feeling familiar to anyone looking to break into the security industry, said James Lyne, head of research at the Sans Institute. The gap between the experts and the beginners could seem too vast to cross, he said.
For a long time, it had been only those lucky enough to discover a real affinity for cybersecurity work, who persevered and would hunt for bugs even if they were not getting paid to do it, who found a place in the industry, he said. That was Mr Lyne's experience and is one common among the pros, many of whom have an "origin" story of how they accidentally, or with the help of a mentor, made it.
"I was one of the people that lucked out and learned in the industry," he said.
There was a growing need for that haphazard selection process to change, said Mr Lyne, given the massive skill shortage in the cyber-security industry.