Ask HN: Need Career Recommendations

[equatorium]

Hi.

I'm looking for some career recommendations, not quite sure what path to go. To me, I'm currently 17 years old and now doing cybersecurity since 3 years. Been doing bug bounty since then, at https://hackerone.com/f9cd8782?type=user. Got into it randomly when I accidently found a critical vulnerability when I was 14, had prior coding and system knowledge, as I've started coding at the age of 10.

I now stopped doing security research for Epic Games, for specific reasons. I've reported around 130 valid vulnerabilities in their engine and games (binary exploitation), including remote code execution, netcode vulnerabilities (mostly critical ones affecting the gameserver itself, technically a 0day due to it being the engine).

I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.

[danwee]

If you are 17 and have already being doing sec research for 3 years... well, why do you have trouble choosing between smart contracts and browser security? From my point of view, you could do both.

More seriously, if you haven't already, brush up your math/physics skills to get ready for university, and do either computer science or software engineering. It's only 3 or 4 years but the diploma will last you forever. Since you seem like a smart guy, getting the degree will be very easy for you. You thank me later, when you are 40.

[equatorium]

Hey. Thanks for your message, I've already thought about working on my math skills, also wanted to take some time and read into cryptography.

Much appreciated, thinking about it.

[avgDev]

Don't overthink it. Just do it. CS degree will change your life.

[gwbas1c]

I can't stress enough how important college is. People who can drop out of college and still do extremely well are very rare: When you look at Bill Gates and Mark Zuckerburg (sp?), they had to drop out because their startups' success was a once-in-a-lifetime event. They also had family money to fall back on if their startups failed and they needed to go back to school.

Many of the techies who I've met who dropped out of school had career struggles afterwards: I can't stress just how important it is to do college while you are college age. You can delay it 1-2 years if you like, (and it will really be nice to have spending money when you're in college,) but going to college when you're significantly older than everyone else will really suck.

College isn't just about the book education. That's the easiest part. It's also about the social experience; but it's much harder to apply for jobs without the degree.

[PartiallyTyped]

> College isn't just about the book education. That's the easiest part. It's also about the social experience; but it's much harder to apply for jobs without the degree.

This can not be overstated.

University is the means with which one can reach out to knowledgeable people and build connections. The biggest mistake of my studies imho was not taking advantage of all the resources I had access to.

[munbun]

College also serves as a buffer, giving you dedicated time and space grow.

The self-taught route is a viable path but if growth is what you want, the early stages requires more work than most realize.

[gwbas1c]

More importantly: A lot of tech jobs get A LOT of applicants. Often the college degree requirement is simply a quick-and-easy filter. You might have an awesome resume, but without the degree, whoever's reading the giant stack of applications is just going to move on to the next one.

[drdunce]

Applying for CS jobs is difficult full stop, with or without the degree.

I can't remember the last time I got invited to even the first stage! University doesn't fix that.

[the_only_law]

Yeah I opted not to go, any of my friends didn’t. While it seemed like things were going good for a few years, all my friends are now getting jobs in really cool domains from university hiring pipelines whereas my careers is basically dead now.

[shaman1]

I’d read PG’s essays (someone compiled them in a pdf on github) and learn about startups. Long term you don’t want to sell your soul to corporations.

Continue to learn and try to get some contract work meanwhile. In security this is very common: audits, penetration testing, etc.

Good luck!

[id]

Start a corporation so that you don't need to sell your soul to corporations?

[quickthrower2]

There is a skit out there about the American dream, something like “where the little guy does well, advances, gets promoted, becomes the boss, and then can stamp on all the little guys”

[jdhdjdbdjdbd]

Start a corporation so you can buy other people's souls

[sturza]

Found it: https://news.ycombinator.com/item?id=22323562

Updated to november 2022

[equatorium]

Thanks, much appreciated.

[Mezzie]

Thoughts and random advice mixed together:

- Before you go to university/college and semi-regularly afterwards do a security/doxx/skip trace/etc. on yourself and your accounts. Even if you later do more impressive work, presenting your earliest work is going to be the only way to prove that you were working pre-18/pre college degree, and you are going to need that proof. The main thing is to make sure that there's nothing connecting to those accounts/handles/usernames that might make you unemployable or people not wanting to work with you. It's a good practice to get into because when you're 28 and handing over proofs of what you did when you were 14, you don't want to lose job offers because 14 year old you named your variables 'buttface' or said something that was acceptable in 2019 that isn't in 2035 or something.

- Consider what you want. Do you want to maximize for money? For free time? For autonomy/freedom? What types of tasks do you enjoy doing?

- Consider majoring/minoring in something completely unrelated to CS. One major benefit those of us with significant programming/tech experience pre college have is that we already have a trade/profession going into college. (I started when I was ~5-6). Keep up with your tech work, but doing coursework in areas like communications or business management or picking a rare domain to acquire knowledge in to combine with your tech skills is going to be very advantageous particularly in the middle or later parts of your career.

- Don't worry a bunch about low-balling yourself. It's really weird to try to get an idea of where you fit in the market if you're an outlier and talented young people get really mixed messages sometimes. I think the main question to ask yourself is do you want to go into smart contract or browser security work? You clearly could.

[trifit]

Hey that’s impressive that you’re so young and found so many vulns.

If I was in your place I would chart out a path for myself to be CISO or CIO at a large org. Continue with your graduation and attempt to get ethical hacking certifications (CISSP or CompTia junior or senior year). I would also start a technical blog about your research (once those are patched ofcourse) This will be a boost to your credentials when you apply for jobs. All the best!

[equatorium]

Hey, thanks for your message.

I wanted to start a technical blog, but Epic Games never (and still don't) gave me permission to publish my research about Unreal Engine 0days or remote code execution in their games.

Will definitely work on certifications in the future.

[als0]

Ethical hacker and CISO are totally different jobs and require different sets of interest. Why would you chart a path like that unless you're primarily motivated by big money?

[sharkbot]

There are a few paths forward for you, and a lot hinge upon your skills outside of security (somewhat your morality).

Computer security is a lucrative field, and a broad one.

You could continue the bug bounty approach, which leads into vuln selling (with the attendant morality questions). You could go into systems security research, a long term project but worthwhile intellectually. You could contract (needs networking and business), you could FAANG (needs patience and soft skills), you could government (needs patience and more patience).

My advice: don’t rush. You have at least 50 years of career ahead of you. The decisions you make now will influence your direction for years, but there’s very little you can do to completely derail your future. Try some things, see what resonates and clashes and learn more about you.

Context: 25 years in computer security in a variety of roles, currently FAANG, currently management. My 17 year old self would likely be somewhat surprised at my circumstances, but hopefully not upset :)

[equatorium]

Thanks, much appreciated.

"You could contract (needs networking and business), you could FAANG (needs patience and soft skills), you could government (needs patience and more patience)" That sounds like a insanely hard approach. I don't really have anything to show, only really got my HackerOne profile to show. Most projects I do is related to it, which I don't really publish or just not allowed to publish.

[sharkbot]

If someone wanted to get in touch with you, what would be the best way?

[equatorium]

You can either contact me on discord, my tag is xor#0001 or you can shoot me a DM on twitter at https://twitter.com/equat0rium

[tasuki]

I suppose the #0001 part is not an accident? Mind sharing? :)

[equatorium]

Hmm, what do you mean exactly? The #<4_numbers> is part of the username that is required to add someone on discord. So, yea, the full thing to add me is xor#0001

[equatorium]

If you have discord nitro, you can choose the 4 numbers by yourself. I got it gifted, so I set it to be #0001.

[pcthrowaway]

> You could continue the bug bounty approach, which leads into vuln selling (with the attendant morality questions)

Can you elaborate on this?

[liquid_stranger]

Look into Zerodium https://zerodium.com/.

They sell exploits to government agencies. They are one of the more legit outfits, but researchers can also sell exploits to NSO style bad actors.

[pcthrowaway]

I know what Zerodium is, but why does security work "lead to" exploit selling? There are lots of researchers who don't do that.

[mrg2k8]

I can relate, as I started my career at 16, setting up a small ISP from scratch without any prior knowledge of computer networking and doing the work remotely, part-time since recently when the company was acquired by a larger ISP. They had about 2000 subscribers when they sold it.

Besides that, I've worked full time on Linux administration at a large scale and in the last years on cloud architecture. When starting university, my colleagues were all envious of me because I was working on interesting stuff and because I had a steady income, but I don't know if the sacrifice of not having a life during high-school was worth it.

Some advice to my younger self: - enjoy your young, no-care-in-the-world years and experiment as much as possible outside work and jobs; this will come in handy later on because you will end up working with people - try finding a bachelor and master that can deepen your knowledge on the subject; for various reasons I've picked telecom and now I regret not picking CS for my current day-to-day job. I made the right choice by picking a networking master's - if in or near Europe and if you like traveling, search for Erasmus+ exchanges during high-school and university years - there are lots of certifications that can give you insight on the industry you're on. For example, I've only learned about Cisco certifications years after working in the networking field. Why? One constraint was budget and I initially implemented everything using Linux and cheap switches. - don't get hired full-time early (this I'm glad I didn't do), because there will be plenty of time to climb corporate ladders. A few of the university colleagues are now on a higher corporate level than me, but should I care?

TL;DR enjoy your young years and don't sweat it too much by working during university; you're way ahead of everyone else and will easily land a job when the time will come.

[equatorium]

Thanks for your message.

"and will easily land a job when the time will come." Well, that's the thing. I don't want to leave out any opportunities, just because I was lazy in my young years. There are many insanely good people out there and I heard companies more look at years of experience and certifications, instead of public "achievements" like HackerOne, etc.

[1auralynn]

I would try to avoid this FOMO mindset, it leads to burnout/possibly depression in like 5-10 years. I would focus on a) finding out what problems you are most interested in working on and b) having some fun while you're young and don't worry about being "lazy" (you're obviously in no danger of that).

I think it's best when you're young to not be focused/specialized too soon, but cast a wide net - maybe find a couple of projects that you're interested in doing that are somewhat interdisciplinary. College is good for this as well. Good luck!

[WhiteBlueSkies]

Let me guess, your father just happens to be doing security research himself and as destiny would have it your interests intertwined?

[equatorium]

No. I've started coding by my own at the age of 9, were playing the old gems of games, saw people developing cool stuff in games like Minecraft.

Got a java book for christmas, started learning and got into Minecraft development. At the age of 14, I started learning cpp, reverse engineering and a bit of ASM. Found a vulnerability in Epic Games by messing around with stuff, managed to report it and was rewarded, then I simply kept going and made security research to my hobby.

My family is not familiar with software, but with hardware, so I got my hands on a PC very early. No pressure tho.

[mzfr]

I've seen a lot of your tweets about those bounties :)

As someone who has done bug bounties and also has certifications, I can suggest a few things.

1. College - Like others said, it helps a lot not just careerwise but socially as well.

2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.

You might think why would you need a job in any org to do so? Well, simply because a stable income(the reason I stopped doing bug bounties) and association with a good org/group improve your network. Not sure if you know this or not but having a good network of people really helps, professionally.

3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.

**

You already know this but I'd state it again, literally every program lowballs, and no one wants to pay up. So if you get 10k for RCE but expected 100k, just stop reporting to that program. If you like working on their services then maybe try talking to the program managers about it. In the end, if you feel like the program isn't giving back as you expected just move on to a different program.

All the above stuff was what came to mind to help your professional/bug-bounty career. To answer the question

> I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.

If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)

Happy hunting!

[equatorium]

Thank you really much, great advice.

> 2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.

Already got my foot in some cool groups, not really a work-together thing, but still filled with some very skilled people like pmnh (https://hackerone.com/pmnh?type=user) and zi (the guy from dayzerosec https://www.youtube.com/channel/UCXFC76FDHZRVes6_lZqwLBA). Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.

> 3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.

I'd say that's very much true, but certifications is still a nice-to-have on the side, but surely not a big change.

> If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)

Yea, especially now, smart-contract research pays big. I'm probably gonna look into both and decide on later on what to focus.

Thanks again man, much appreciated.

[mzfr]

> Already got my foot in some cool groups, not really a work-together thing

Yeah I actually was saying insense of professional work. For Ex: Take assetnote, they do code review,s and such. If you get to work with them that would be really good for professional work. There are several other smaller startups/org with good people in them that are doing security research.

> like pmnh (https://hackerone.com/pmnh?type=user) and zi

Oh, that is a good thing. I've followed some of their work.

> Joining big organizations like Google Project Zero seems very hard for me in my eyes haha. Would have no idea on how to get into them.

Right now, not sure how it would work. But P0 was just an example, if the idea of working they seem good then the first step would be to professionally become part of a smaller org/group that does security research. And then gain traction from there by doing more public research in whatever field you like. AFAIK P0 prefer people with public research experience and have something decent to show they did publically.

> and will easily land a job when the time will come." Well, that's the thing. I don't want to leave out any opportunities, just because I was lazy in my young years. There are many insanely good people out there and I heard companies more look at years of experience and certifications, instead of public "achievements" like HackerOne, etc.

Just read this in one of your comments (sorry just going through the thread). I actually agree with what @mrg2k8 said you are young and don't forget to enjoy the time you have now.

The thing about certification/Year of Experience is true but only when you actually want to work in an organization that works for itself. Basically, if you want to go in a line where you are working as insert security-related post, in a company. If you want to continue working as a researcher, just exploring applications and finding bugs then you don't have to worry about all that because in that scenario public achievements would rein over certifications or years of experience.

If you are getting bored with research and want to get a job like penetration tester, Product security, etc then I think the majority of my suggestions become irrelevant. And then you should just go for a degree -> certifications -> Apply for jobs -> $$$$

[conviencefee999]

Ah this reeks of bs but welcome to hacker news where everyone gets the 350k+ offers. Lol posting the #2 for Epic Games, this totally is very real and very possible for a 10 year old to even do.

[equatorium]

Hi. I've edited my profile description for proof, https://hackerone.com/f9cd8782?type=user

[tasuki]

Haha, pwned!

conviencefee999, you'd do well to be a little more respectful when asking for a proof...

[the_only_law]

A lot of people are surprisingly angry in this thread.

[danwee]

To give a bit more of a realistic point of view to this thread: I have around 10 years of working experience as a software engineer working in a few countries in Europe. Just recently I have reached my personal highest salary: 95K EUR/year before taxes, which is around 5K after taxes per month. I know there are fresh graduates in the US that are probably making double of that in their first year at FAANG; but hey that's life, to each their own!

[Communitivity]

An important point is that a distorted picture is produced through a straight salary comparison between an EU position and a US one. There are a number of reasons, but the two biggest are taxes and healthcare. The EU will likely have higher taxes, but much (much) lower healthcare.

I make $170k a year after 20 years, in the US, and I barely consider myself a success (sometimes I don't - had I not messed up I'd likely be a millionaire today). I messed up early on with college and won't have a B.S. in C.S until next year. I pay roughly 30% a year in taxes, and have around a $10k total deductible for self/family, though a lot is covered with only a minimal co-pay of $10-$50 per visit (figure 2 visits per month, $1000 per year).

Look at the whole compensation package:

- Salary

- Taxes

- Employer 401k contribution

- Vacation

- Healthcare

- Profit sharing

- Etc.

[gwbas1c]

20 years into my career I seriously doubt I'll ever get a $350k offer. Those aren't as common as you'd like to believe.

FWIW: I'm doing extremely well for where I live.

[frontman1988]

Try getting a fulltime job if you can. You don't need to join college for CS education imo. There is not much benefit of a college degree unless it's from a elite/great college. The best resources to learn CS are online ex. https://teachyourselfcs.com/ is a good resource to self learn. Imo unless you want to go into academia you don't really need a degree atleast for software/security jobs. As far as socializing and learning soft skills is concerned, it can very easily be done in a job as well, you don't need to go to a university for it. Even better get a remote job or go backpacking around the world and you can fast track all those 4 years of socializing skills in a few months as well.

[gwbas1c]

> You don't need to join college for CS education imo. There is not much benefit of a college degree unless it's from a elite/great college.

Be very careful. It's easy to get an entry-level development job when you're young and inexperienced because you're cheap.

Having hired experienced developers; what happens is that people without degrees get overlooked, no matter how good they are. The reason is that developer jobs get an unreasonably high number of applicants; so things like a college degree turn into basic filtering mechanisms.

IE, it doesn't matter how good or experienced you are, without a degree many places (including me), won't even bother reading your resume.