Ask HN: Need Career Recommendations
I'm looking for some career recommendations, not quite sure what path to go. To me, I'm currently 17 years old and now doing cybersecurity since 3 years. Been doing bug bounty since then, at https://hackerone.com/f9cd8782?type=user. Got into it randomly when I accidently found a critical vulnerability when I was 14, had prior coding and system knowledge, as I've started coding at the age of 10.
I now stopped doing security research for Epic Games, for specific reasons. I've reported around 130 valid vulnerabilities in their engine and games (binary exploitation), including remote code execution, netcode vulnerabilities (mostly critical ones affecting the gameserver itself, technically a 0day due to it being the engine).
I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.
55 comments
[ 2.5 ms ] story [ 96.1 ms ] threadIf I was in your place I would chart out a path for myself to be CISO or CIO at a large org. Continue with your graduation and attempt to get ethical hacking certifications (CISSP or CompTia junior or senior year). I would also start a technical blog about your research (once those are patched ofcourse) This will be a boost to your credentials when you apply for jobs. All the best!
I wanted to start a technical blog, but Epic Games never (and still don't) gave me permission to publish my research about Unreal Engine 0days or remote code execution in their games.
Will definitely work on certifications in the future.
I make $170k a year after 20 years, in the US, and I barely consider myself a success (sometimes I don't - had I not messed up I'd likely be a millionaire today). I messed up early on with college and won't have a B.S. in C.S until next year. I pay roughly 30% a year in taxes, and have around a $10k total deductible for self/family, though a lot is covered with only a minimal co-pay of $10-$50 per visit (figure 2 visits per month, $1000 per year).
Look at the whole compensation package:
- Salary
- Taxes
- Employer 401k contribution
- Vacation
- Healthcare
- Profit sharing
- Etc.
conviencefee999, you'd do well to be a little more respectful when asking for a proof...
FWIW: I'm doing extremely well for where I live.
More seriously, if you haven't already, brush up your math/physics skills to get ready for university, and do either computer science or software engineering. It's only 3 or 4 years but the diploma will last you forever. Since you seem like a smart guy, getting the degree will be very easy for you. You thank me later, when you are 40.
Much appreciated, thinking about it.
Continue to learn and try to get some contract work meanwhile. In security this is very common: audits, penetration testing, etc.
Good luck!
Updated to november 2022
Besides that, I've worked full time on Linux administration at a large scale and in the last years on cloud architecture. When starting university, my colleagues were all envious of me because I was working on interesting stuff and because I had a steady income, but I don't know if the sacrifice of not having a life during high-school was worth it.
Some advice to my younger self: - enjoy your young, no-care-in-the-world years and experiment as much as possible outside work and jobs; this will come in handy later on because you will end up working with people - try finding a bachelor and master that can deepen your knowledge on the subject; for various reasons I've picked telecom and now I regret not picking CS for my current day-to-day job. I made the right choice by picking a networking master's - if in or near Europe and if you like traveling, search for Erasmus+ exchanges during high-school and university years - there are lots of certifications that can give you insight on the industry you're on. For example, I've only learned about Cisco certifications years after working in the networking field. Why? One constraint was budget and I initially implemented everything using Linux and cheap switches. - don't get hired full-time early (this I'm glad I didn't do), because there will be plenty of time to climb corporate ladders. A few of the university colleagues are now on a higher corporate level than me, but should I care?
TL;DR enjoy your young years and don't sweat it too much by working during university; you're way ahead of everyone else and will easily land a job when the time will come.
"and will easily land a job when the time will come." Well, that's the thing. I don't want to leave out any opportunities, just because I was lazy in my young years. There are many insanely good people out there and I heard companies more look at years of experience and certifications, instead of public "achievements" like HackerOne, etc.
I think it's best when you're young to not be focused/specialized too soon, but cast a wide net - maybe find a couple of projects that you're interested in doing that are somewhat interdisciplinary. College is good for this as well. Good luck!
Many of the techies who I've met who dropped out of school had career struggles afterwards: I can't stress just how important it is to do college while you are college age. You can delay it 1-2 years if you like, (and it will really be nice to have spending money when you're in college,) but going to college when you're significantly older than everyone else will really suck.
College isn't just about the book education. That's the easiest part. It's also about the social experience; but it's much harder to apply for jobs without the degree.
This can not be overstated.
University is the means with which one can reach out to knowledgeable people and build connections. The biggest mistake of my studies imho was not taking advantage of all the resources I had access to.
I can't remember the last time I got invited to even the first stage! University doesn't fix that.
The self-taught route is a viable path but if growth is what you want, the early stages requires more work than most realize.
Computer security is a lucrative field, and a broad one.
You could continue the bug bounty approach, which leads into vuln selling (with the attendant morality questions). You could go into systems security research, a long term project but worthwhile intellectually. You could contract (needs networking and business), you could FAANG (needs patience and soft skills), you could government (needs patience and more patience).
My advice: don’t rush. You have at least 50 years of career ahead of you. The decisions you make now will influence your direction for years, but there’s very little you can do to completely derail your future. Try some things, see what resonates and clashes and learn more about you.
Context: 25 years in computer security in a variety of roles, currently FAANG, currently management. My 17 year old self would likely be somewhat surprised at my circumstances, but hopefully not upset :)
Can you elaborate on this?
They sell exploits to government agencies. They are one of the more legit outfits, but researchers can also sell exploits to NSO style bad actors.
"You could contract (needs networking and business), you could FAANG (needs patience and soft skills), you could government (needs patience and more patience)" That sounds like a insanely hard approach. I don't really have anything to show, only really got my HackerOne profile to show. Most projects I do is related to it, which I don't really publish or just not allowed to publish.
I guess you cared enough about this to automate account creation and waited for the right one? That'd be rather commendable attention to detail!
Got a java book for christmas, started learning and got into Minecraft development. At the age of 14, I started learning cpp, reverse engineering and a bit of ASM. Found a vulnerability in Epic Games by messing around with stuff, managed to report it and was rewarded, then I simply kept going and made security research to my hobby.
My family is not familiar with software, but with hardware, so I got my hands on a PC very early. No pressure tho.
Be very careful. It's easy to get an entry-level development job when you're young and inexperienced because you're cheap.
Having hired experienced developers; what happens is that people without degrees get overlooked, no matter how good they are. The reason is that developer jobs get an unreasonably high number of applicants; so things like a college degree turn into basic filtering mechanisms.
IE, it doesn't matter how good or experienced you are, without a degree many places (including me), won't even bother reading your resume.
- Before you go to university/college and semi-regularly afterwards do a security/doxx/skip trace/etc. on yourself and your accounts. Even if you later do more impressive work, presenting your earliest work is going to be the only way to prove that you were working pre-18/pre college degree, and you are going to need that proof. The main thing is to make sure that there's nothing connecting to those accounts/handles/usernames that might make you unemployable or people not wanting to work with you. It's a good practice to get into because when you're 28 and handing over proofs of what you did when you were 14, you don't want to lose job offers because 14 year old you named your variables 'buttface' or said something that was acceptable in 2019 that isn't in 2035 or something.
- Consider what you want. Do you want to maximize for money? For free time? For autonomy/freedom? What types of tasks do you enjoy doing?
- Consider majoring/minoring in something completely unrelated to CS. One major benefit those of us with significant programming/tech experience pre college have is that we already have a trade/profession going into college. (I started when I was ~5-6). Keep up with your tech work, but doing coursework in areas like communications or business management or picking a rare domain to acquire knowledge in to combine with your tech skills is going to be very advantageous particularly in the middle or later parts of your career.
- Don't worry a bunch about low-balling yourself. It's really weird to try to get an idea of where you fit in the market if you're an outlier and talented young people get really mixed messages sometimes. I think the main question to ask yourself is do you want to go into smart contract or browser security work? You clearly could.
As someone who has done bug bounties and also has certifications, I can suggest a few things.
1. College - Like others said, it helps a lot not just careerwise but socially as well.
2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.
You might think why would you need a job in any org to do so? Well, simply because a stable income(the reason I stopped doing bug bounties) and association with a good org/group improve your network. Not sure if you know this or not but having a good network of people really helps, professionally.
3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.
**
You already know this but I'd state it again, literally every program lowballs, and no one wants to pay up. So if you get 10k for RCE but expected 100k, just stop reporting to that program. If you like working on their services then maybe try talking to the program managers about it. In the end, if you feel like the program isn't giving back as you expected just move on to a different program.
All the above stuff was what came to mind to help your professional/bug-bounty career. To answer the question
> I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.
If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)
Happy hunting!
> 2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.
Already got my foot in some cool groups, not really a work-together thing, but still filled with some very skilled people like pmnh (https://hackerone.com/pmnh?type=user) and zi (the guy from dayzerosec https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA). Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.
> 3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.
I'd say that's very much true, but certifications is still a nice-to-have on the side, but surely not a big change.
> If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)
Yea, especially now, smart-contract research pays big. I'm probably gonna look into both and decide on later on what to focus.
Thanks again man, much appreciated.
Yeah I actually was saying insense of professional work. For Ex: Take assetnote, they do code review,s and such. If you get to work with them that would be really good for professional work. There are several other smaller startups/org with good people in them that are doing security research.
> like pmnh (https://hackerone.com/pmnh?type=user) and zi
Oh, that is a good thing. I've followed some of their work.
> Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.
Right now, not sure how it would work. But P0 was just an example, if the idea of working they seem good then the first step would be to professionally become part of a smaller org/group that does security research. And then gain traction from there by doing more public research in whatever field you like. AFAIK P0 prefer people with public research experience and have something decent to show they did publically.
> and will easily land a job when the time will come." Well, that's the thing. I don't want to leave out any opportunities, just because I was lazy in my young years. There are many insanely good people out there and I heard companies more look at years of experience and certifications, instead of public "achievements" like HackerOne, etc.
Just read this in one of your comments (sorry just going through the thread). I actually agree with what @mrg2k8 said you are young and don't forget to enjoy the time you have now.
The thing about certification/Year of Experience is true but only when you actually want to work in an organization that works for itself. Basically, if you want to go in a line where you are working as insert security-related post, in a company. If you want to continue working as a researcher, just exploring applications and finding bugs then you don't have to worry about all that because in that scenario public achievements would rein over certifications or years of experience.
If you are getting bored with research and want to get a job like penetration tester, Product security, etc then I think the majority of my suggestions become irrelevant. And then you should just go for a degree -> certifications -> Apply for jobs -> $$$$