Jasmin Landry, or JR0ch17, has an unusual hobby. In his spare time, he is a hacker.
"For me, it's mostly about the challenge of finding bugs," he says. "It's like a puzzle. It's just fun. I love it."
Landry, 26, has broken into servers belonging to a major automaker where he found sensitive data concerning factory operations.
But unlike the stereotypes of ill-intentioned hackers that haunt boardrooms and popular culture, Landry isn't a criminal. He only hacks into systems that have invited him to try to break in, through programs called "bug bounties."
As cybersecurity becomes an ever-more pressing concern for automakers, the auto industry is embracing bug bounty programs such as the ones that Landry uses to earn extra money. The automakers invite hackers to test certain systems, and offer cash incentives if the hackers find holes. By opening their systems to so-called "white hat hackers" automakers and suppliers harness the power of a community of security experts like Landry in the hunt for bugs that might otherwise be exploited by bad actors.
Landry has a day job as a certified cybersecurity professional and works on bounty programs for five to 10 hours a week and makes $50,0000 to $60,000 per year doing it. Other researchers who dedicate more time make far more, he says.
Though the thought of engaging with hackers can be off-putting to automakers and suppliers, bug bounties are increasingly becoming standard even for companies with large cybersecurity teams. That shift has required automotive software developers to reach across a significant cultural divide.
"There are people who have a 'breaker mindset' and there are people who have a 'builder mindset,' " said Casey Ellis, chief technical officer of Bugcrowd, a firm that manages bug bounty programs for automakers such as Ford, Tesla and Fiat Chrysler. "The hackers we work with are wired to want to tear things apart, see how they work and put them back together in new ways."
This can be disconcerting to the engineers who built these systems.
"If you work on building products, the first question you'll have is 'Why are these people trying to destroy my stuff?' " Ellis said. "Bug bounties are about creating a security feedback loop between people with different mindsets that ultimately results in a smarter team that builds better products."