Sam Curry

Last updated
Sam Curry
Born (1999-10-17) October 17, 1999 (age 24)
Nationality American
Occupation(s)Hacker, Security researcher
Website samcurry.net

Sam Curry (born October 17, 1999) is an American ethical hacker, bug bounty hunter, and founder. He is best known for his contributions to web application security through participation in bug bounty programs, most notably finding critical vulnerabilities in 20 different auto manufacturers including Porsche, Mercedes-Benz, Ferrari, and Toyota. In 2018, Curry began working as a security consultant through his company Palisade [1] where he disclosed vulnerability publications for security findings in Apple, Starbucks, Jira, and Tesla.

Contents

In 2021, Palisade was acquired by Yuga Labs where Curry currently works as a security engineer. In 2023, Curry was detained and summoned to testify within a Grand Jury by the IRS-CI and DHS on wrongful suspicion of running a high-profile phishing website.

Curry has spoken on ethical hacking, web application security, and vulnerability disclosure at conferences including DEFCON, [2] Black Hat Briefings, [3] Kernelcon, [4] and null. [5]

Biography

Curry grew up in Omaha, Nebraska and attended Elkhorn High School. He began hacking at the age of 12, [6] ethically disclosing vulnerabilities to various vendors over email. [7] At University of Nebraska Omaha, Curry worked with students through the cyber security club NULLify. [8] [9]

Publications and articles

Related Research Articles

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

EC-Council is a cybersecurity certification, education, training, and services company based in Albuquerque, New Mexico.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Grammarly is a Ukraine-founded cloud-based typing assistant, headquartered in San Francisco. It reviews spelling, grammar, punctuation, clarity, engagement, and delivery mistakes in English texts, detects plagiarism, and suggests replacements for the identified errors. It also allows users to customize their style, tone, and context-specific language.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne's network had paid over $230 million in bounties. HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Zerodium is an American information security company. The company was founded in 2015 with operations in Washington, D.C., and Europe. The company develops and acquires zero-day exploits from security researchers. It then reports the research, provides protective measures, and makes security recommendations to government clients. Zerodium reports it has paid over 2,000 researchers more than $100,000,000 in bounties between 2015 and 2023.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span> German IT security specialist and penetration tester

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

<span class="mw-page-title-main">Synack</span>

Synack is an American technology company based in Redwood City, California. The company uses a crowdsourced network of white-hat hackers to find exploitable vulnerabilities and a SaaS platform enabled by AI and machine learning to identify these vulnerabilities. Customers include government agencies and businesses in retail, healthcare, and the manufacturing industry.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker and security researcher (born 1993)

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, The Express Tribune and TechCrunch. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award. In 2021, Islamabad High court designated Rafay Baloch as an amicus curia for a case concerning social media regulations.

Jack Cable is an American computer security researcher and software developer who currently serves as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency. He is best known for his participation in bug bounty programs, including placing first in the U.S. Department of Defense's Hack the Air Force challenge. Cable began working for the Pentagon's Defense Digital Service in the summer of 2018.

Bugcrowd is a crowdsourced security platform. It was founded in 2012, and in 2019 it was one of the largest bug bounty and vulnerability disclosure companies on the internet. Bugcrowd runs bug bounty programs and also offers a range of penetration testing services it refers to as "Penetration Testing as a Service" (PTaaS), as well as attack surface management.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

YesWeHack is a global security company headquartered in Paris, France. It provides a crowdsourced platform for bug bounty programs where ethical hackers can report security exploits and vulnerabilities. It was founded in 2015 by Guillaume Vassault-Houlière, Manuel Dorne and Romain Lecoeuvre.

<span class="mw-page-title-main">John Jackson (hacker)</span> Security researcher

John Jackson also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

<span class="mw-page-title-main">Titan Security Key</span> Security token by Google

The Titan Security Key is a FIDO-compliant security token developed by Google which contains the Titan M cryptoprocessor which is also developed by Google. It was first released on October 15, 2019.

References

  1. Ganz, Amy (30 July 2018). "Teen makes six figures hacking Google, Facebook legally". Fox Business. Retrieved 24 March 2020.
  2. "The Talks that Define DEF CON 27". Bugcrowd. 5 August 2019. Retrieved 24 March 2020.
  3. Murphy, Margi (10 August 2019). "Inside Black Hat, the world's biggest ethical hacker conference in Las Vegas". Telegraph. Retrieved 24 March 2020.
  4. Vidas, Tim. "Kernelcon Speakers". Kernelcon. Retrieved 24 March 2020.
  5. "null Dubai Meet 16 March 2023 March Special Meet". null.community. Retrieved 2023-03-24.
  6. Haworth, Jessica (23 April 2019). "School's out: Meet the teen hackers swapping books for bugs". Portswigger. Retrieved 24 March 2020.
  7. Paul, Kari. "This 18-year-old's hacking side hustle has earned him $100,000—and it's totally legal". MarketWatch. Retrieved 24 March 2020.
  8. Denney, Vanessa (18 December 2018). "NULLify Capture The Flag". University of Nebraska Omaha. Retrieved 24 March 2020.
  9. "Globally Used Points.com Loyalty System Hacked for Good". www.hackread.com. 4 August 2023.
  10. Franceschi-Bicchierai, Lorenzo. "Researchers Secure Bug Bounty Payout to Help Raise Funds for Infant's Surgery". vice.com. Retrieved 2 June 2021.
  11. Pritchard, Stephen (10 May 2021). "Pega Infinity hotfix released after researchers flag critical authentication bypass vulnerability". portswigger.net. Retrieved 2 June 2021.
  12. Curry, Samuel. "We Hacked Apple for 3 Months: Here's What We Found". samcurry.net. Retrieved 3 November 2019.
  13. Curry, Samuel (November 2019). "Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty". samcurry.net. Retrieved 3 November 2019.
  14. Curry, Samuel (November 2019). "Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More". samcurry.net. Retrieved 3 November 2019.
  15. Newman, Lily (August 2023). "Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform". wired.com. Retrieved 23 March 2024.
  16. Greenberg, Andy (March 2024). "Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds". wired.com. Retrieved 23 March 2024.