Subtitles section Play video Print subtitles This is a classic Nissan Skyline. It might look like just another car, but owning one of these makes you an instant star among car enthusiasts. And this guy's so rich, he owns two of them. He affords these luxuries not by toiling away at a nine to five job like the rest of us, but by breaking into websites and getting paid for it. My name is Tommy DeVoss and I'm a hacker. The businesses Tommy hacks are headquartered in cities like New York and San Francisco. But Tommy works out of suburban Virginia and when I went to go see him over the summer, he was crashing at his mom's place. Her kitchen doubled as his office. Most of the time, if I tell somebody I'm a hacker, the first thing they say is either, "really" or "no you're not because real hackers don't admit that they're hackers." Do people think that you do it for bad reasons? Yeah, people like ask me, "hey, I think my boyfriend's cheating on me, can you help me break into his phone so I can find out?" But Tommy's not gonna break into your boyfriend's phone because all the hacking he does is legitimate. In arrangements called Bug Bounty Programs, companies like Verizon and General Motors, pay him to look for security holes in their systems, so they can fix them before the bad guys get in. When you find one of the ones that you know is gonna be like five or $10,000 payout, it's just, you can feel your heart racing faster and it's just like doing drugs. I don't want to go too into detail on... In comparison with that, it's just, you get that same sorta rush. For some time now, tech companies have employed legitimate hackers to test their systems. But over the last decade or so, bug bounty hunting has become much more organized, thanks to the merchants of websites that match freelance hackers with businesses. The prize money has now gotten big enough to make this an actual career. What's the most money you've made on a bug? A single report is $20,000. What about in a single day? A single day, $160,000 in October of last year and I think that only took three or four hours worth of actually working. So if you were to average it out, how many hours a week would you say you work? Five to ten. Five to ten hours a week? And how much money have you earned over the last year? This year? $636,000. What do you think is the thing that makes you so good at it? Just the fact that I've been doing it for so long. I thought Tommy was gonna be something like a lawyer or a doctor. Tommy was very, very smart. And he was so much ahead of everybody else in the class. In our classes, you could play on the computers when you finished all your work. I'd finish my work in 10 minutes and then just go play on the computer. It didn't take long for Tommy to fall in love with the Internet, and one day he stumbled into a chatroom where people talked about their illegal hacks. They taught him their tricks and he started hacking for fun. The first time he got caught was when he was in highschool. He was expelled, spent a few weeks in juvenile detention and was ordered to stay away from computers. But he didn't listen. We got into NASA computers, the US Courts, Department of Energy, anybody that had huge budgets that shoulda had secure systems but didn't. And he was caught, once again, but this time, as an adult. Most of these right here, I got in prison. I got prison bars there, razor wire, a guard tower. I've got the word hacker on my stomach and then VA. In federal prison, everything's geographical and I was from Virginia, so. Tommy served a total of about four years behind bars. The judge told me, if I get arrested for computers again and come to his court, he was gonna give me life in prison. And in 2010, right before his 27th birthday, he got out for good. For a long time, the only jobs Tommy could get was cooks, working in restaurants, that was about it. Nobody would hire him because he was a convicted felon. But by 2016, a few Bug Bounty programs were up and running and Tommy gave it a try. He explained it to his mom like this, I get to hack again. People were gonna pay me instead of sending me to prison. She didn't believe me. She was like, "are you sure you're not gonna get in trouble?" He's been in trouble three times for this and how am I supposed to know that he might not be tempted to do something again? For most people, bug bounty hunting is still more of a side gig than their primary source of income. You get paid only when you're the first to report a bug and even those payouts don't amount to very much. On one platform, called HackerOne, the vast majority have earned less than $10,000 over time. But if you're really good, you can make a lot more. Out of HackerOne's 5000 contributors, Tommy's among just six people who've earned more than a million dollars. So this is where all your money goes? Yeah. My insurance appraised it at $89,000. You know your mom told me not to do this. Oh God! Oh my God! The way this car vibrates, it does not feel safe to me. It's not vibrating. Tom still gets the occasional speeding ticket. Oh God. But when it comes to computers, he says he'll never cross the line again. Can I have a hug? The prospect of spending the rest of my life away from my daughter, there's nothing that can make that risk worth it. You're gonna drive with daddy, okay? She's now the most important thing in the world instead of me. You gotta push the button to start it. Ready? Turn it this way. I wanted her to be a hacker but her mom wants her to be a dancer. There you go. I just think it'd be fun for me and her to hack together. Turn it this way a little bit. No the other way, don't run into daddy's car. Please don't hit daddy's car. Please don't hit daddy's car. There you go. Good job! She'll get anything in the world she wants. Pound it! Pound it. It's gonna really end up costing me a lot more, so I kinda have to hack a lot more I think as she gets older. As more and more of the world moves online, cyber attacks are only gonna grow in frequency and sophistication in the havoc that they'll wreak on our lives. And that means were gonna need a lot more of the good kind of hackers testing our systems to make sure we're safe.