I am a white-hat "cybersecurity analyst" (bug bounty hunter) trying to get more people involved in cybersecurity. Ask me anything.

How much money have you personally made doing this?

I've made over $15,000 from various bug bounty programs.

On average how easy (or difficult) is it generally to find exploits in companies etc?

It usually depends on the company, their tech stack, and how many bug bounty hunters research it. It's sometimes super simple to find exploits in a company (under 3 hours) and sometimes it can be extremely hard. Usually, bug bounties that have hard scopes will pay more for an attack than companies with easier scopes. However, if you're trying to get started, I'd recommend looking at easier scopes first and then moving into harder scopes.

What will it take to get people to care about the phones and apps they're using blindly? It's pretty bad

This is a major issue in the cybersecurity field, which can provide vectors for serious attacks. The solution many people have decided to work with is securing their app as much as possible from the other malicious apps rather than assume the user won't install anything bad. Obviously, apps with administrator permission or read/write on webpages can steal lots of information and there's nothing that cybersecurity analysts or companies can do. A lack of care is an extreme problem, and it's something I'd also like to raise awareness about, too.

I’m not sure if you can answer, but are antivirus packages for iPhones worth buying? I’ve heard they’re immune to hacking etc but I don’t believe anything is!

iPhones are not immune to hacking, but anti-viruses do nothing to make your phone more secure. I would recommend just making sure you are on the latest version of iOS, as otherwise your phone will be vulnerable to more bugs. Apple actually runs a bug bounty program for bugs found in iOS. Security fixes are added in every update by Apple to make sure phones are more secure and safer. I'd also recommend not installing an app unless you trust it and not visiting weird websites.

How much knowledge about coding and computers do you need for your job?

There's obviously a good amount of knowledge you need about programming, but it's not too much if you're interested in the field. Learning programming is a useful skill in this field, and it can also be used for other fields, too. You don't need to know too much programming, but you will need to familiarize yourself with common knowledge of networking, HTTP, and how websites and programs work. There are many resources on the internet to help people who are interested in this field get started, some of which I included in the original post.

How have people reacted at your age?

I usually don't tell them as it doesn't really matter that much. I'm pretty sure there are other people my age that also do this, so it wouldn't be rare to see someone my age submitting reports.

Ironic this pops up as I'm actually considering going into this field.

For someone looking to get into this line of work, can you recommend some good resources to learn what's needed to succeed in the job?

I'd recommend Hacker101 if you need some basic CTF challenges. I'd also recommend BugBountyNotes, as they may have some useful content.

Thanks for the reply.

I was more so asking about like resources to learn how to even do these sort of jobs. I used to do some minor coding stuff years ago (im talking like 2009-2012) that I think was either html or c+? I can't remember truthfully. Basically, what is the like required knowledge to preform these jobs, and what is a good place to start learning how to gain said knowledge?

I'd first learn a programming language like Python and then move into security research tutorials on OWASP and Bug Bounty Notes. You can learn python from its documentation or by googling how it works. I'd also recommend you get familiar with a web server library on the language you decide to learn. You can google pretty much anything about it.

Starting school for cyber security in January. No idea what I'm in for.

When somebody works in Cyber Security, does that tend to imply using tools that you're trained in, or like writing code from scratch?

You can do both. Tools streamline the process, and you don't usually have to reinvent the wheel. Sometimes, you will need to make a script, but most of the time other specialized tools can be used.

Is c++ a good programming language for this field?

I would recommend other languages such as Python or Javascript as C++ isn't usually used in web development. C++ will also take longer to create web development scripts with and doesn't have as many libraries as other languages.

Is python good?

Yeah, it can be used for a lot of things, both in this field and in programming.

Have you worked on any cryptocurrency projects like Ethereum?

I plan on getting into cryptocurrency soon, but I haven't started with it yet.

Wouldn't you prefer a good game of chess?

Does chess impact the world as much as security research?

What are your thoughts on the Australian anti-encryption laws? This legislation requires developers to code a back-door into any encryption used in their programs for 'security measures'.

Anti-encryption laws aren’t good. It allows for more vectors to attack the application and retrieve data for both attackers and the government.

Just started an OSINT internship and feeling genuinely overwhelmed and out of my element, any advice that might make conducting these investigations more fruitful or streamlined?

Sometimes, you should look over the knowledge you already think you know. I find this useful in many areas when I may have misunderstood something that caused me to be very confused instead of cramming new content in.

[deleted]

It really depends on what you’re doing. For web research, you don’t need that much reverse engineering. You may need to understand JS files that are compressed and minified, but other than that not really. For game/app bug research, you’re definitely going to need to know how to do reverse engineering and maybe even learn assembly for programs compiled in C++ or C.

[deleted]

That’s not my area of expertise, but you would need to look for UAFs or buffer overflows and then find a way to cause them to happen. There would be money in kernel research, but then you would also have to learn the kernel too.

What’s your opinion on Kali Linux?

Overrated. I use a macOS or my PC for it.

Do you mean you use your Mac or PC for cyber security in general?

It usually depends on the day and where I am.