Douglas Day is a member of the Hacker Advisory Board at HackerOne and a full-time professional hacker. His membership of the Hacker Advisory Board is voluntary and unpaid, but more than 95% of his income comes from bug bounty hacking. The rest comes from the occasional contracted pen testing and red teaming.
“I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”
So, what is a hacker?
While Day is a computer hacker, he knows this is a specific species of a wider genus. “My definition of a hacker is somebody who uses a system in a way that was not intended by its designers. Most of the time, when people talk about hacking, they mean computer hacking. In this case, a hacker is a person who uses a computer application or website in a way that it was never intended to be used.”
But he stresses, you don’t need to hack computers to be a hacker. “You can also be a hacker in the wider sense. Somebody who opens a lock with a pencil is hacking both the lock and the pencil.” The pencil was never designed to open a lock, and the lock was never designed to be opened by a pencil. Same with a broken table. “If you’ve ever jury-rigged a broken table by bolting on an extension to the leg, you’re hacking the table and the extension.” These concepts map easily to computer hacking. The lock is a malfunctioning system, preventing its legitimate users doing what they need to do. The pencil is a hacking tool. The broken table is also a malfunctioning system, and the extension is a hack designed to fix it.
Douglas Day is purely a computer hacker.
Becoming this hacker
“I was late to the game,” says Day. “I would love to say I was one of those geeky kids, obsessed with computers and taking them apart before I was 10. But I wasn’t. I just used the family computer to play games.” Nothing much happened: no geekiness or drive to understand technology before grade 11 at school.
“Then I took a micro-electronics class and got my first experience of hands-on with some serious robotics. We got to build a solar panel car, and I built an electronic mouse trap. That was my first foray into technology geekiness, and it was fun and cool.” But he still wasn’t a hacker and had no thought of becoming a hacker.
At this stage he knew he wanted to be an engineer but didn’t know what sort of engineer. He chose computer science when he went to university simply because he had attended a basic programming class at the same time he was introduced to engineering. When the time came to decide, he chose computer science because, “At that point, I had more experience in building programs than I had in building bridges.”
It wasn’t until he was at university, around 2010, that he learned cybersecurity existed, and he began to be curious, even though the university had no cybersecurity course. He checked out a couple of SANS courses. “They were out of my budget, but I found a software development internship where one of the projects was security development. That’s where I really understood that cybersecurity was an interesting field – there was a sort of cat and mouse intrigue to it.”
But even into his early career, there was no plan to focus on security. He graduated university with a computer science degree, got a first entry level software job, and still had no idea that he would go into security, never mind become a computer hacker. “I just wanted to be an engineer.” It wasn’t until 2016 that he got his first security-related job, and another three years before he started his hacking career.
“I was working on the application security team at New Relic. Previous work had mostly been in vulnerability management, so I still didn’t understand hacking. But part of my job was working with our bug bounty program, where we were paying good money for researchers to find bugs on our platform. I was astonished at how simple and elementary the bugs were – on enterprise level software that customers were paying six or seven figures to use.”
He thought it couldn’t be this easy to find bugs in software that employed a 15 strong security team and hundreds of really smart software developers. “So after several months of just watching us pay these hackers to hack us, and seeing how much money they were making (this was around the time I wanted to buy my first house and start a family with my wife), I thought, Okay, well, what if I try to do this on the side, and maybe make enough to supplement the down payment on our home?”
He created an account on HackerOne in October 2018, and it was only two months later he got his first bounty. “It was only $200, so it wasn’t mind shattering – but this was the first time in my life that I had independently; that is, outside of an employer, made a single dollar, and it was just through hacking.” A couple of weeks later, he got a second bounty, and then another. He decided this would not merely help with his downpayment but could become a serious supplement to the family income. He set a target of earning at least an additional $20,000 by hacking in the evenings and at weekends, but by the end of 2019 – when they purchased the house – he had made an additional $92,000 just from HackerOne.
As the family grew, it became difficult to choose between spending spare time with family or hacking for more money. By this time, he was earning good money with HackerOne and had established a solid track record just hacking as a side hustle from his day job. “I just knew I needed to make the switch and do this full time. On July 5, 2024, I became a full time hacker, and things simply haven’t slowed down.”
Motivation
Day’s route into hackerdom is hardly conventional. The standard route is from a computer-fixated young child, through game playing into game hacking; mixing with and learning additional skills from other hackers on internet forums; and playing kudos-seeking pranks on school pals. Then comes the fork in the road for these precocious youngsters: some turn left into the sinister (malicious) realm while the majority take the righteous path into ethical hacking and gainful employment. They are driven by an irresistible and insatiable curiosity to understand how things work; and this can only be achieved by taking those things apart. Many times the curiosity continues: ‘Can I make it do something else, or perhaps the same thing but better, if I reassemble it differently?’ This is not a choice, but a psychological drive, often assisted in both cause and practice by a degree of neurodivergence.
This is not Douglas Day. His destination was not a psychological necessity, but a rational career choice. He didn’t start out as a precocious childhood geek. He chose computer science for his university degree, but largely because he took a basic programming course at school. He became interested in cybersecurity but was not driven toward it. And in the end, he chose to be a hacker not out of psychological necessity, but to better provide for his family.
“It was kicked off by my desire to buy a house for my family and it just kind of cascaded from there in ways I didn’t expect – it kind of went meteoric. I expected to just have some supplemental side cash and did not expect it to be enough to sustain myself and my family. I guess I took a boring path to full time hacking, because it took five years for me to make that jump – and it was only after feeling very, very confident that I would be able to do it full time that I actually pulled the trigger.”
This family-driven motivation and his religious beliefs (he describes himself as ‘a person of faith’) mean he has never been tempted to sell a vulnerability for a higher price on the dark web. “Most of the people I know who do bug bounties are just normal people who want to live normal lives without the risk of incarceration. Sure, I could probably sell things on the black market, but the risk of putting myself in legal Jeopardy, which would, in turn, put my family in jeopardy, is just not a risk I would consider. I’m just not that guy.”
But he does understand why some bug bounty hunters could give it serious thought – bounty hunters are generally underpaid for the value of the service they provide. He has never been tempted to sell a vulnerability on the black market but has occasionally been left frustrated.
“For example, if I’ve got a bug that would cause $7M in damage, and I’m being paid $2K for it, I would never be tempted to do something shady with it. But knowing the discrepancy in how much I’m being paid versus what it’s worth has made me jaded and frustrated at times. Like maybe I should just go and be a security engineer again – or maybe I need to do something else entirely and open a bagel shop.”
The contradiction that is Douglas Day
Day became a professional hacker by choice. But that doesn’t mean he isn’t a natural hacker. When he describes the enjoyment and process of looking for bugs, it is little different to the experience of other computer hackers.
“The reason I really enjoy hacking is not simple curiosity, but because of the adrenaline rush or endorphin rush when I find a bug and find a way to outthink the developers. It’s a bit of cat and mouse, where I’m the cat and the system is the mouse. There’s a real high in realizing you probably have it. And then you just need to figure out a few more details, until you finally get confirmation that your bug works. There’s a huge internal payoff just knowing that you were able to outsmart this large organization with dozens and dozens of developers and heaps and heaps of money, just by yourself.”
His bug-finding process is also like the work of other computer hackers: disassembly followed by reassembly leading to unintended consequences. “Disassembly is just breaking the pieces down and understanding how they fit together and how they work together. What does this webpage do? What does this function do? What does this piece of the application do? It’s like opening the hood on a car to see how the different parts of the engine connect and work together.”
Then comes the reassembly part. “Instead of going through the prescribed workflow and pressing this button after hitting that switch, what if I reverse the process? What would happen then? What would happen if I change some of the data that feeds the engine, and how could I do that? About 99% of the time I spend hacking a computer is this reassembly stage, reassembling something in a way that will achieve an action or outcome that was never intended by the developers.”
But despite this natural affinity with hacking, he chose the profession rather than was chosen by it. This begs a question: is hacking a natural human inclination present in everyone? Do we all have a desire to strip things down to see how they work, and then create better things from our understanding? Isn’t that the very nature of science and progress? The only difference between us is the intensity (the extent to which we are driven by our psychology) and focus (the subjects we choose to hack).
Summary
It’s the element of rational choice to be a hacker that sets Day apart from most other hackers. He was not driven to computer hacking through a psychological necessity – an irresistible itch that could only be scratched by taking things apart and reassembling them – but by a desire to make life better for himself and his family. That is why most of us work, but only a few of us find a career that is truly satisfying, rewarding and legal.
What Douglas Day demonstrates is that bug bounty programs can be a profession of choice, rather than simply a safe, ethical refuge for natural born hackers who have little choice but to hack. As he said: “I didn’t always consider myself a professional hacker, but I have always been a hacker. Now I’m both a hacker and a professional hacker.”
Related: Hacker Conversations: McKenzie Wark, Author of A Hacker Manifesto
Related: Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing Harm
Related: Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat
Related: Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
