I'm looking for some career recommendations, not quite sure what path to go. To me, I'm currently 17 years old and now doing cybersecurity since 3 years. Been doing bug bounty since then, at https://hackerone.com/f9cd8782?type=user. Got into it randomly when I accidently found a critical vulnerability when I was 14, had prior coding and system knowledge, as I've started coding at the age of 10.
I now stopped doing security research for Epic Games, for specific reasons. I've reported around 130 valid vulnerabilities in their engine and games (binary exploitation), including remote code execution, netcode vulnerabilities (mostly critical ones affecting the gameserver itself, technically a 0day due to it being the engine).
I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.
More seriously, if you haven't already, brush up your math/physics skills to get ready for university, and do either computer science or software engineering. It's only 3 or 4 years but the diploma will last you forever. Since you seem like a smart guy, getting the degree will be very easy for you. You thank me later, when you are 40.
Many of the techies who I've met who dropped out of school had career struggles afterwards: I can't stress just how important it is to do college while you are college age. You can delay it 1-2 years if you like, (and it will really be nice to have spending money when you're in college,) but going to college when you're significantly older than everyone else will really suck.
College isn't just about the book education. That's the easiest part. It's also about the social experience; but it's much harder to apply for jobs without the degree.
Continue to learn and try to get some contract work meanwhile. In security this is very common: audits, penetration testing, etc.
Good luck!
- Before you go to university/college and semi-regularly afterwards do a security/doxx/skip trace/etc. on yourself and your accounts. Even if you later do more impressive work, presenting your earliest work is going to be the only way to prove that you were working pre-18/pre college degree, and you are going to need that proof. The main thing is to make sure that there's nothing connecting to those accounts/handles/usernames that might make you unemployable or people not wanting to work with you. It's a good practice to get into because when you're 28 and handing over proofs of what you did when you were 14, you don't want to lose job offers because 14 year old you named your variables 'buttface' or said something that was acceptable in 2019 that isn't in 2035 or something.
- Consider what you want. Do you want to maximize for money? For free time? For autonomy/freedom? What types of tasks do you enjoy doing?
- Consider majoring/minoring in something completely unrelated to CS. One major benefit those of us with significant programming/tech experience pre college have is that we already have a trade/profession going into college. (I started when I was ~5-6). Keep up with your tech work, but doing coursework in areas like communications or business management or picking a rare domain to acquire knowledge in to combine with your tech skills is going to be very advantageous particularly in the middle or later parts of your career.
- Don't worry a bunch about low-balling yourself. It's really weird to try to get an idea of where you fit in the market if you're an outlier and talented young people get really mixed messages sometimes. I think the main question to ask yourself is do you want to go into smart contract or browser security work? You clearly could.
If I was in your place I would chart out a path for myself to be CISO or CIO at a large org. Continue with your graduation and attempt to get ethical hacking certifications (CISSP or CompTia junior or senior year). I would also start a technical blog about your research (once those are patched ofcourse) This will be a boost to your credentials when you apply for jobs. All the best!
Computer security is a lucrative field, and a broad one.
You could continue the bug bounty approach, which leads into vuln selling (with the attendant morality questions). You could go into systems security research, a long term project but worthwhile intellectually. You could contract (needs networking and business), you could FAANG (needs patience and soft skills), you could government (needs patience and more patience).
My advice: don’t rush. You have at least 50 years of career ahead of you. The decisions you make now will influence your direction for years, but there’s very little you can do to completely derail your future. Try some things, see what resonates and clashes and learn more about you.
Context: 25 years in computer security in a variety of roles, currently FAANG, currently management. My 17 year old self would likely be somewhat surprised at my circumstances, but hopefully not upset :)
Besides that, I've worked full time on Linux administration at a large scale and in the last years on cloud architecture. When starting university, my colleagues were all envious of me because I was working on interesting stuff and because I had a steady income, but I don't know if the sacrifice of not having a life during high-school was worth it.
Some advice to my younger self: - enjoy your young, no-care-in-the-world years and experiment as much as possible outside work and jobs; this will come in handy later on because you will end up working with people - try finding a bachelor and master that can deepen your knowledge on the subject; for various reasons I've picked telecom and now I regret not picking CS for my current day-to-day job. I made the right choice by picking a networking master's - if in or near Europe and if you like traveling, search for Erasmus+ exchanges during high-school and university years - there are lots of certifications that can give you insight on the industry you're on. For example, I've only learned about Cisco certifications years after working in the networking field. Why? One constraint was budget and I initially implemented everything using Linux and cheap switches. - don't get hired full-time early (this I'm glad I didn't do), because there will be plenty of time to climb corporate ladders. A few of the university colleagues are now on a higher corporate level than me, but should I care?
TL;DR enjoy your young years and don't sweat it too much by working during university; you're way ahead of everyone else and will easily land a job when the time will come.
As someone who has done bug bounties and also has certifications, I can suggest a few things.
1. College - Like others said, it helps a lot not just careerwise but socially as well.
2. Try joining big security groups/org - You have a lot of knowledge, especially in RE/PWN fields so maybe try joining organizations that do security research full-time example Google Project Zero or there are loads of other organizations that does that kind of work. This will make life easier in sense of what you wanna do. By joining such groups/organizations you can choose to work on game engine/cheat-anti-cheat hacking or browser/OS security basically choose what you wanna hack.
You might think why would you need a job in any org to do so? Well, simply because a stable income(the reason I stopped doing bug bounties) and association with a good org/group improve your network. Not sure if you know this or not but having a good network of people really helps, professionally.
3. I saw someone mentions that you should think of getting certifications. Believe me, when I say it, certificates do nothing. I got my OSCP because people said it would help me get a job, but it didn't. Certificates are only for people who don't really have anything else to show or beginners in the fields trying to get their foot in the door. You already have an amazing profile showing that you are capable of doing RE/PWN stuff. Go for certifications only if you actually want to have fun and take on the challenge. Don't expect much change in your professional life from those certifications.
**
You already know this but I'd state it again, literally every program lowballs, and no one wants to pay up. So if you get 10k for RCE but expected 100k, just stop reporting to that program. If you like working on their services then maybe try talking to the program managers about it. In the end, if you feel like the program isn't giving back as you expected just move on to a different program.
All the above stuff was what came to mind to help your professional/bug-bounty career. To answer the question
> I've been told many times that I am low-balling myself and should get into smart contract or browser security. Please let me know what you think and feel free to ask any questions.
If you just want big money, yes smart-contract seems to be the big hot thing. If you are looking to make a big name in the security field along with a decent(sometimes really good) amount of money then browser/OS security is definitely a good thing. In the just try them for 1 week/month and stick with something that you enjoy :)
Happy hunting!