In the hacker world, Behrouz (“Ben”) Sadeghipour, a 24-year-old junior at Sacramento State, is one of the good guys – a “white hat”.
Working from his downtown apartment, he spends at least 20 hours a week hunched over a computer looking for bugs that could dismantle a computer system. His research protects data from “black hats,” hackers who try to break into computers and steal data from businesses and individuals.
And for that job, he earns “bug bounties” – money or prizes paid by companies who want to spot security holes before bad guys can exploit them.
Sadeghipour juggles school and his paid intern work at Bugcrowd Inc., a San Francisco-based IT security company that acts as a marketplace for businesses that want white hats to test their computer systems.
Currently, Sadeghipour says he has an 80 percent accuracy rate in finding security vulnerabilities in a company’s software. His reputation has led to invitations to hacking conferences about being a white hat insect bounty hunter.
The CSUS Computer Science major grew up in Orangevale and graduated from Bella Vista High School and attended Los Rios Community College before enrolling in Sacramento State. He recently told The Bee about his white hat job:
Question: How did you start working as a white hat?
A: I’ve learned that there are companies – like Google, Microsoft, Yahoo, and PayPal – that hire hackers and give them prizes for finding weaknesses in their systems. They say, “We’ll give you a prize if you tell us how you did it and don’t steal our data.” Some go through third-party companies like Bugcrowd who publish programs that need to be tested on their websites. Sites like Bugcrowd have an online page that ranks bounty hunters by percentage of accuracy. Today I have an 80% accuracy rate.
Question: How did that turn into a job at BugCrowd?
A: In February, I started to work as a freelance. I have found a lot of bugs, and companies have been impressed with them. I started talking to Jonathan Cran, the vice president of operations at Bugcrowd, on Twitter. Then I met Cran and other senior executives at two white hat conferences in Las Vegas. In July, they offered me an internship and I started in September. When I graduate I would like to work at Bugcrowd or some other company, something in the security field.
Question: How much money did you make as a freelance hacker?
A: I made $ 20,000 from 20 to 30 reports (between February and September of this year). I have had over 100 reports, but some companies that work through Bugcrowd and other intermediary sites only give t-shirt or free services. GitHub – a coding website – for example gave me a few hundred dollars and a package with mugs, t-shirts and a subscription to their services for finding a loophole in their system.
Question: If white hats are paid only modestly, are they fair for sports?
A: Some are there for recognition. Bugcrowd, and other similar organizations, have a dedicated bonus page. Some rank bounty hunters on a leader board and others list each person’s success percentage. You get your name there and job postings. Some do it strictly for the money. White Hats can earn $ 70,000 to $ 80,000, with the wages of their (regular) job.
Question: How did your interest in computers and hacking come about?
A: When I was a little boy, my mom’s way of disciplining me was not to let me go on the computer when I wanted to. She would put a password on the computer, and I would just sit there until I cracked it. I started reading hacking articles online. I learned the code and practiced by hacking my own code. I made money helping anyone who needed to do something on a computer.
Question: What made you decide to become a white hat hacker?
A: When I was 18, I decided to stop working on computers. My family kept telling me that hacking is illegal. I didn’t want to be in trouble. I quit hacking for three years until I heard about bug bountys. Then I found out that there were white hats and black hats. Black hats steal data. The White Hats choose to be researchers. It depends on whether you want to make more money the wrong way or make less money the right way.
Question: Why Should Students Work Like White Hats?
A: It offers hands-on experience of what you learn in school. School offers theory, and it’s up to you to put it into practice. Doing bug bounties helped me navigate my classes. I’m taking information security classes next semester and looking at my schedule and it seems too easy. I learned more in the nine months I was involved with bug bounties than in all my previous years in school.
Question: How do you deal with school and white hat work?
A: I work from home (for Bugcrowd) 20 hours a week. At first I drove to San Francisco every Friday. Now if we can Skype, we do; otherwise, I enter.
Question: What is your proudest achievement?
A: I was reading someone’s findings online and I was like, ‘I want to be that guy. I want to be in the top 10 on Yahoo. Within months, I made this happen. The second thing is that my family is proud of me. If you Google my name, you see a lot of articles about me. I get a lot of recognition.
This story was originally published December 27, 2014 4:00 p.m.