Sam Curry

For the Scottish footballer, see Sam Currie.

Sam Curry (born October 17, 1999) is an American ethical hacker, bug bounty hunter, and cybersecurity entrepreneur.^[1][2] He has uncovered high‑impact security flaws across a range of technologies and industries. Notably, he led a 2022 project that exposed remote‑control vulnerabilities affecting 20 car manufacturers,^[3] and in 2024 he and a colleague revealed a weakness that allowed bypassing of Transportation Security Administration (TSA) airport security screenings.^[4]

Sam Curry
Born	(1999-10-17) October 17, 1999 (age 25) Omaha, Nebraska, U.S.
Nationality	American
Occupation(s)	Ethical hacker, security researcher
Website	samcurry.net

Early life and education

Curry grew up in Omaha, Nebraska and began hacking at age 12, initially by modifying online video games.^[5] He received his first bug‑bounty payout at 15 and by 18 had earned over US$500,000 in rewards.^[6]

Career

Palisade Security

In 2018 Curry founded the security consulting group Palisade Security, through which he reported serious vulnerabilities in companies including Apple, Starbucks, Atlassian, and Tesla.^[7][8] In September 2022, Google mistakenly wired Curry US$249,999.99, an error he publicized and later returned to the company.^[9]

Automotive research

In December 2022 Curry led research that exploited telematics endpoints from SiriusXM to remotely unlock, start, and locate vehicles made by Porsche, Mercedes‑Benz, Ferrari, Toyota, and others.^[10]

Domain registry vulnerabilities

In June 2023, Curry and collaborators demonstrated critical flaws in the infrastructure of multiple country-code top-level domains (ccTLDs), including .ai and .ly.^[11]

Loyalty‑program vulnerabilities

In August 2023 Curry, Ian Carroll, and Shubham Shah revealed API flaws in the Points.com loyalty platform that could grant attackers virtually unlimited airline miles and administrator access to dozens of travel rewards programs.^[12]

2023 federal detainment

Upon returning from Japan on 15 September 2023, Curry was detained by IRS-CI and DHS agents at Washington Dulles International Airport and served a grand-jury subpoena linked to a cryptocurrency phishing investigation. The subpoena was withdrawn days later.^[13]

Cable modem vulnerabilities

In 2024 Curry discovered an authorization bypass in Cox Communications’ device management APIs that allowed attackers to remotely reconfigure or access millions of customer modems.^[14]

Airport security vulnerability

In August 2024, Curry and Ian Carroll disclosed a flaw in the TSA's Known Crewmember (KCM) system that could allow unauthorized access through airport security checkpoints and even cockpit credentials.^[15]

Recruitment‑platform vulnerabilities

In July 2025 a Wired investigation revealed that Curry and Ian Carroll had exposed vulnerabilities in McDonald’s AI hiring platform, which allowed access to personal data from millions of job applicants.^[16]

Conference speaking

Curry has presented at DEF CON, Black Hat, Kernelcon, and NULLify security meet‑ups.^[17][18] At DEF CON 32 in 2024, Curry gave a talk titled "Hacking Millions of Modems and Investigating Who Hacked My Modem".^[19]

Selected publications

• Curry, Sam. “We Hacked Apple for 3 Months: Here's What We Found” (2021).^[20]
• Curry, Sam. “Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More” (2023).^[21]
• Newman, Lily Hay. “Hackers Could Have Scored Unlimited Airline Miles by Targeting One Platform” (2023).^[22]

Philanthropy

In April 2021 Curry donated a US$50,000 bug‑bounty reward to help fund an infant’s heart surgery.^[23]

See also

• Bug bounty program
• Ethical hacking