Amat Cama searches for technology flaws from the comfort of his couch.
Only in his mid-20s, Cama is an accomplished bug bounty hunter, “a top security professional,” according to a professor at his alma mater, Northeastern University. He is among the best of the tens of thousands of white-hat hackers around the world who get paid bounties by businesses and nonprofits to uncover flaws in their digital assets, so they can be fixed—before malicious hackers can exploit them.
Cama grew up in Senegal, attending a school where computer science courses were basically nonexistent. His winding path from there to earning accolades (and a $50,000 bounty) at the world’s leading hacker competition in 2017 shows that cybersecurity talent can come from anywhere. More important, it can be developed and deployed in a variety of ways—although experience always seems to play a big role. Except for his superior skills and native country, Cama’s story is pretty typical within the ethical hacker community.
Q: How did you become interested in hacking?
During my second year at Northeastern, a friend introduced me to internet security concepts. He told me about wargames, which are computer security challenges that teach you different topics in the field. I spent a lot of time playing them and taking computer security courses. Later, one of my professors, Wil Robertson, introduced me to Capture the Flag competitions, which are very similar to wargames except that you compete against other teams. I learned how to pick up new concepts and topics on my own. And it was fun; I discovered that I really loved the intellectual challenge of it.
Q: Did you get right into the hacker world after Northeastern?
I did a one-year internship at the University of California, Santa Barbara, as a research assistant in the cybersecurity lab. I was planning to get a PhD and follow the academic route, but I ended up changing my mind and went into industry.
I joined the product security team at Qualcomm, where I audited some of the code they shipped with their devices in order to catch vulnerabilities and get them fixed.
After about 18 months there, I worked in Beijing at a startup called Chaitin Technology as a senior security researcher. My job was to look for bugs in software and then present my findings at security competitions. But I became homesick and moved back to Senegal.
Now I’m working as an independent security researcher and focusing on international hacking competitions such as Pwn2Own and GeekPwn. Those are my main sources of bug bounties. The competitions are very straightforward. They distribute a list of targets, and your goal is to find vulnerabilities in the months leading up to the event. Then you present what you’ve been able to find during the event. I wouldn’t say I’ve made my entire living that way, but I’ve made a significant amount of money—about $65,000—from just my two biggest bounties.