[HackerNotes Ep. 164] Tommy DeVoss: From Black Hat to Bug Bounty LEGEND

Hacker TL;DR

• Tommy DeVoss (dawgyg) went from IRC botnets and website defacement in the 90s to prison twice, to becoming one of the first six hackers to cross $1M on HackerOne.

• The $180k Yahoo SSRF: octal-encode only the first octet of 169.254.169.254 → 0251.254.169.254. Worked on 18 separate endpoints, each paid $10k. One bypass, applied systematically across the known attack surface = $180k in one session.

• Revisiting old reports is an underrated strategy. When you have limited time, don't start from scratch; go back to reports you've already reported and test new variants.

• Tommy's fuzzing setup for Chrome: 6 parallel builds (ASAN, MSAN, UBSan, vanilla, debug, exploit-dev). Every crash gets patched locally, so the fuzzer keeps progressing past known bugs instead of looping on the same one.

• AI can be very useful in this case to cover the whole Chrome project, which is huge to go into it.

• Scope is not optional. If the company hasn't explicitly said yes (published program, VDP, signed agreement), the answer is no.

Hackernotes

The Origin Story

Tommy DeVoss started on IRC in the early 90s. Not hacking systems, but mostly fighting over channels and doing botnets. The target was other IRC groups. Mafia Boy, the Canadian kid credited with the first large-scale DDoS attack (eBay, Yahoo, basically everything big in 2000), was one of the guys they were fighting on Efnet. Same botnets, different sides.

From there, he did some website defacement. This is the late 90s, so "web vulnerability" wasn't really a thing yet. Websites were static HTML or maybe some flat files. There was no database for SQLi. The attack path was network-level: Telnet exploits, RPC vulnerabilities on port 111, compromising name servers, installing packet sniffers to harvest credentials of anyone who Telnetted through. University computers in Taiwan, Korea, and Hong Kong were the preferred jump boxes, running old OS versions, always exploitable, and far enough away that tracing back was expected to be hard.

It worked until it didn't. Cowhead got arrested at DEF CON 2001 for ripping a gold-plated payphone off the wall during the scavenger hunt. The FBI monitored the group's website to figure out who was involved, and he got arrested too.

Two and a half years in prison. Then out, back on computers within a month, because construction and cooking were boring. Defaced Yahoo again. The probation officer showed up and found a keyboard on the bed. No computer, no reason to own a keyboard, but it was a violation, so back for another year.

Out in 2008. Actually, clean this time. He bought an Xbox, which technically violated his terms, too. Then his sister's fiancé showed him a browser-based game called Ebony that had exploitable mechanics, and he wrote the first bot for it. Then a nearby business got broken into, and some computers got stolen. Local cops knew his history. FBI watched him for six months, found nothing, and used the burglary as an excuse to raid him anyway. Back for another 16 months.

Four months into that sentence, the FBI came back and apologized. They'd found the actual burglar and the person working with Rafa. As part of what amounted to an apology, they lifted his computer ban permanently. Without that, he wouldn't have been able to do bug bounties legally.

We do subs at $25, $10, and $5, premium subscribers get access to:

– Hackalongs: live bug bounty hacking on real programs, VODs available
– Live data streams, exploits, tools, scripts & un-redacted bug reports

You can also find some hacker swag here.

The Bug Bounty Entry

2014: creates accounts on HackerOne and Bugcrowd, doesn't do anything with them. The whole thing seemed too good to be true for someone who had life in prison on the table if he got caught hacking again without authorization.

Late 2015: starts seeing write-ups on Twitter. Actual money, actual bugs.

Early 2016: logs into his HackerOne account, sees Yahoo in the program directory. Goes there first because he already knows Yahoo.

March 2016: first bounty, $300.

Then Hack the Pentagon. A month of hacking DoD assets, finished first or close to it, then found out you needed to pass a background check to collect bounties. Went to Twitter, vented. Someone running the program DMed him. 24 hours later: "You now pass background checks."

2017: ~$200k. Named one of H1's top earners.

2018: ~$700k, including the $180k SSRF session.

2019: officially crosses $1M. One of the first six hackers to do it.

The $180k SSRF

Back in October 2018, in Las Vegas, he was waiting for a friend who took two hours to get ready. Didn't want to start something new, so he opened an old Yahoo SSRF report and started playing with it.

Yahoo used a blacklist to block the AWS metadata endpoint 169.254.169.254. But you know, a blacklist can be bypassed.

He'd already gotten the AWS credentials from this endpoint before, so he knew the exact path and key name. Just needed a new way to represent the IP. He was stoned and decided to try something that logically shouldn't work: octal-encode just the first octet. 169 becomes 0251. The rest of the IP stays the same: 0251.254.169.254.

It worked. He has no idea why specifically, it looks nothing like a valid IP address, but Yahoo's server handled it fine. The blacklist was checking for 169.254.169.254 and its obvious variants. 0251.254.169.254 wasn't on the list.

Then he did what any bug hunter does: opened every SSRF report he'd ever filed against Yahoo, three years’ worth, and tested the same encoding on all of them. Worked on every single one. 18 endpoints, each a unique location, each paid $10k. 18 reports, $180k. Four days later, he was sitting outside a car dealership, buying his GTR in cash.

So when you find a working bypass, scale it horizontally. You already know the program, you already know the endpoints. One technique applied to your entire known attack surface multiplies the payout without multiplying the recon time.

Fuzzing Chrome

This is Tommy's current focus. He can't disclose the specific bugs yet, hasn't been long enough since the reports were shot.

The setup: 6 separate Chrome checkouts, each compiled with different instrumentation:

• ASAN — AddressSanitizer, catches memory corruption (OOB, UAF, double-free)

• MSAN — MemorySanitizer, catches uninitialized memory reads

• UBSan — Undefined Behavior Sanitizer, flags signed integer overflow, null dereference, type confusion

• Vanilla — clean build, confirms crashes reproduce in real-world binary

• Debug — full symbols for stack trace analysis

• Exploit dev — custom build for writing PoCs

Every time he finds a crash, he patches it locally in all 6 builds before continuing. This is the part most people skip. If you don't patch locally, your fuzzer keeps hitting the same crash and never gets past it. Local patches push the fuzzer into unexplored code paths. Over time, you build a layered map of the same code region.

Most of what he's found is in the renderer process. He's got one in the GPU process. Renderer bugs are the entry point and GPU process bugs are more valuable because the GPU process runs with fewer sandbox restrictions. Chain renderer-to-GPU and you're looking at sandbox escape.

There's also the Google Open Source VRP angle: vulnerabilities in third-party libraries that Chrome uses can be patched upstream, then submitted to Google after 30 days. Up to $15k for standard bugs, up to $31k for supply chain compromise scenarios. The library doesn't even need to be reachable in Chrome itself.

AI in the Workflow

There is three places where he can use AI in his workflow:

Harness building. Chrome has a full validation pipeline that runs before any vulnerable code path is reachable. Writing a harness that mimics that flow by hand requires deep knowledge of Chrome internals. AI can analyze the relevant source files and construct the call sequence automatically. The harness has to be accurate enough that crashes reproduce in the real browser, not just in isolation.

Crash RCA. When the fuzzer finds something, tracing why it crashed, which memory operation failed, and where the state diverged from the crash site, used to take 1-2 hours manually. AI does it in ~2 minutes.

Codebase navigation. Chrome's codebase is massive. Tracing a single code path across hundreds of files requires holding a lot of context. Gemini is the only model Tommy uses for this because of the 2M token context window. Other models lose track of the state before they can complete the trace.

There's also a rule he runs: AI agents have to do a brain dump every few minutes, what they've tried, what failed, and why. Not just what succeeded. The failure log is the decision tree. Without it, long research sessions drift into repeating dead ends.

And also, AI agents are never allowed to delete files.

About the Scope

Tommy says it with more weight than most people. Life in prison is what he's got on the table for another computer crime conviction. So when he talks about scope, it's not theoretical.

Bug bounty is legal only because the company explicitly said yes. Published program, VDP, signed agreement. That's it. "Security research" without written permission is unauthorized access, regardless of intent or severity. A pissed-off CLO having a bad day and an out-of-scope test is all it takes.

If they have a VDP but no bounties, you're still covered. If they have a program with a restrictive scope, stay in it. If they have nothing, the answer is no.

Resources

• Tommy DeVoss on HackerOne

• Tommy DeVoss on Twitter/X

• Darknet Diaries Episode 60 — dawgyg

• BeyondTrust Podcast — From Prison to Millions

• HackerOne Spotlight — dawgyg

• Google Open Source VRP