The winner of the service's latest bug-bounty contest says government security gets tighter every time they invite the public to help.
Jack Cable is 17 years old. With a thin build and large, square glasses, he looks like any unassuming high school senior from the Chicago suburbs. Except he’s a military-grade hacker.
Cable recently finished first in Hack the Air Force, a Pentagon-sponsored bug bounty program that recruited ethical hackers to find security holes within Air Force networks. In total, the service paid out $130,000 for 207 vulnerabilities hackers uncovered in the competition. Cable himself found more than 30 of those, including one faulty admin panel that could have been exploited to upload files and modify content on a military website.
Cable is ranked 73rd overall among members of HackerOne, a worldwide community of thousands of hackers that organizes bug bounties in the public and private sector. His success in Hack the Air Force helped him rise to fifth in the group’s third quarter rankings.
The bug bounty program comes at a time when the government finds itself struggling to attract top talent like Cable to cybersecurity positions. Last week, the General Services Administration announced it will host its first ever tech and cyber recruiting event in November, where federal agencies could offer jobs to qualified candidates on the spot.
Nextgov sat down with Cable to ask him about his beginnings, bug bounties and plans after graduation:
Nextgov: So how did you first get involved with bug bounties?
Jack Cable: I started out hacking about two years ago when I accidentally stumbled across a way to get an infinite amount of money on a financial site. I was able to send negative amounts of money to other users, and that would put their money into my account. I reported it to that company and they ran a bug bounty program, so I got into it from there. It was a Bitcoin site called ChangeTip, I think they since shut down. I eventually found HackerOne and U.S. government bug bounties. I’d been programming for about 5 years [at that point].
Nextgov: What keeps you coming back to these competitions?
Cable: I really like the challenge that comes with bug bounties. It’s always fun to be able to find something you shouldn’t be able to do — also the acknowledgement from the companies to say that you’ve found vulnerabilities and that had a big impact. I’ve met some really cool people along the way.
Nextgov: Which groups have you participated in bug bounties for?
Cable: I’ve done three of [HackerOne’s] private U.S.-government bug bounties, with the Pentagon, the Army and the Air Force. Outside of that I’ve worked with Uber, Yahoo, Salesforce, and a few others.
Nextgov: Why do you choose to report the vulnerabilities you find instead of taking advantage of them?
Cable: There are a few reasons, I think. First of all, obviously, it’s really risky to try to exploit them. You could go to jail, which is pretty bad. Also it’s just really the ethical way. You can feel good about [hacking]. The company’s glad that you’re doing it and they want you to keep hacking with them. Instead of being punished by them, they want to meet you, they want to help you find as much stuff as you can on their websites.
Nextgov: What is it like to be a military-grade hacker and still be in high school?
Cable: I’d say that it’s not that different. I wouldn’t say that’s anything truly exceptional. It’s just that I’ve participated in programs run by the military and happened to do well in them. I’m taking a normal load of classes [including] two math classes at Northwestern [University]. I’m applying for colleges and I’m interested in going in for math or computer science. I’m looking at Stanford and a lot of East Coast schools like Harvard, MIT and Princeton. Also the University of Chicago.
Nextgov: How do you see yourself and bug bounties fitting into government cybersecurity strategy?
Cable: What the government has recently been doing with bug bounties shows that they’re starting to become much more proactive with their security. By holding these bug bounty programs, they’re able to ensure their sites are much more secure and make sure no hackers can easily get into them. Having hundreds of different people looking at your website allows people to try tons of different ways versus a cybersecurity firm that might only apply a few different methods of trying to find vulnerabilities.
Nextgov: How do you view government cybersecurity after participating in these bug bounties?
Cable: With each program there’s been a significant increase in the security of the websites. Hundreds of the top hackers have tried to get in and they’ve reported everything they’ve found. In that aspect, [the websites are] much more secure. Regardless of how secure a website is, it’s going to have vulnerabilities. That’s why running a bug bounty program is really helpful to weed out vulnerabilities that might not be as easily found.
Nextgov: What are your long term plans after high school and college?
Cable: Right now I’m just sort of exploring different areas. Government could be something interesting. [The Defense Digital Service] might be something interesting to work for temporarily, just to get some experience on a different side of things. It’s only two years so you’re not committing to anything long-term, you’re just working for a set period of time on something cool.