Meet the Yale student and hacker moonlighting as a cybersecurity watchdog
Schapiro's bug-hunting work gained traction last week after Hacker News readers had thoughts about one of his recent findings: a bug in Cerca, a buzzy dating app founded by college students that matches mutual contacts with each other. The flaw could have potentially exposed users' phone numbers and identification information, Schapiro said in a blog post.
Through an "internal investigation," Cerca concluded that the "bug had not been exploited" and resolved the issue "within hours" of speaking with Schapiro, a company spokesperson said. Cerca also reduced the amount of data it collects from users and hired an outside expert to review its code, who found no further issues, the spokesperson added. (The Yale Daily News first reported on Schapiro's findings in April.)
A frenzy of venture investment, in part fueled by advancements in AI, has hit college campuses, leading students to launch products and close fundraises quickly. And with "vibe coding," or using AI to program swiftly, becoming the norm among even the most technical builders, Schapiro is hopeful that ethical bug hunters can help startups build and scale while keeping security a top priority.
"These are real people, and this is real, sensitive data," Schapiro told BI. "It's not just going to be part of your pitch deck saying, 'hey, we have 10,000 users.'"
Building Safer Startups
Schapiro says he got his proclivity for programming from his mother, a former Bell Labs computer scientist. As many startup founders and AI researchers once did, Schapiro started building side projects in high school, using Spotify's API to curate playlists for friends and making X bots to track SEC filings.
Teaching himself how to "reverse-engineer" websites led to breaking and making them stronger — a side hustle he now uses to poke holes in real companies before bad actors can.
Ethically hacking is a popular side hustle in some tech circles. (A Reddit group dedicated to the practice called r/bugbounty has over 50,000 members.) It's a hobby that startups and tech giants stand to benefit from, as it helps them prevent data from getting in the wrong hands. Heavyweights like Microsoft, Google, Apple, and more run bug bounty programs that encourage outsiders to find and report security flaws in exchange for a financial reward.
In his first year at Yale, Schapiro found a "pretty serious vulnerability" in a company he says generates billions of dollars in annual revenue. (Schapiro declined to disclose the company, citing an NDA he signed.)
His discoveries have even led a company with "hundreds of millions of dollars in annual revenue" to start working on a bug bounty program of their own, Schapiro said. He has also been contracted by two other tech companies, including part-time work platform SideShift, to pentest their software. And last summer, he pentested Verizon's AI systems during an internship.
"As someone who uses a bunch of websites, I want my data to be taken care of," he said. "That's my mindset when I'm building something. I want to treat all the data that I'm dealing with as if it was my own data."
Joe Buglewicz for BI
Slowing His Roll
On paper, Schapiro seems like the archetype of a college-dropout-turned-founder: He has built and tested apps since childhood, and he runs CourseTable, a Yale class review database that receives over 8 million requests a month. Sometimes, Schapiro says, founders looking for a technical counterpart reach out to him, and VCs hoping to back the next wunderkind ask him when he's going to found a company.
For now, Schapiro isn't interested.
"The No. 1 thing stopping me from raising money right now is not funding," he said. "I would need to really invest a bunch of time in it, and I love the four-year liberal arts college experience."
Recently, Schapiro has found himself learning how to become a smarter computer scientist — not in a machine learning class, but in a translations course he took for his second major, Near Eastern languages and civilizations. It helped him think about how he turns English into Python efficiently and effectively.
"You meet so many interesting, cool people here, and this is a time in your life where you can really just learn things," he said. "You're not going to get that experience later in life."
While he's not ruling out the possibility of founding a company in the future, Schapiro is fine slowing his roll until graduation next May. This summer, he's interning at Amazon Web Services, where he'll work on AI and machine learning platforms.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CBS News
4 hours ago
- CBS News
Minnesota brothers, born 18 months apart, both accepted into Yale as first-generation students
Admission to an Ivy League school is difficult — even more so for a first-generation student — but two Minnesota brothers overcame the odds and are attending Yale this fall. "They were all like, 'He got into Yale! He got into Yale!'" said Joaquin Santoscoy-MacPhee, who remembers getting the call about his brother during his freshman year there. "My dream was always to be at Yale because my brother was there," said Giovani Santoscoy-MacPhee, who will be an incoming freshman at the Ivy League this fall. The two peas in a pod are 18 months apart and grew up in the same room, with their older sister, Isabel Santoscoy-MacPhee. They graduated from Cristo Rey Jesuit High School in Minneapolis. "At first, when I saw my brother in the crib, I've always been interested. We've always been doing everything together. Sharing everything together," Joaquin Santoscoy-MacPhee told WCCO. The boys' parents say that closeness is a part of their culture. "We always wanted them to know who they are and where they come from," said Briana Santoscoy, the boys' mother. Nothing keeps them closer than working in the family-run food truck. The menu of Cuchillo, meaning "knife" in Spanish, is also a reminder of their heritage. "They did it. They did all the work," said Edwin Santoscoy-Mercado, the boys' father. The proud parents both hold Mexican roots. Santoscoy, a Minneapolis native with ancestors from Baja, California, and Edwin Santoscoy-Mercado, also an American citizen, came directly from Tijuana himself. "Growing up where I grew up, my opportunities were very slim to make it to a decent school. To see this, it's just so amazing," Edwin Santoscoy-Mercado said. And the two say, you can do it too. "Having confidence in yourself and knowing what you are, what you're about," said Joaquin Santoscoy-Macow. Giovani Santoscoy-Macow says to not be afraid to speak up. "A lot of the study spaces are going to come from his knowledge," Giovani Santoscoy-Macow said, looking at his brother. The two want to thank their mentors, Sandara Ros and Aim Notthakun, for believing in them. WCCO reached out to Yale University for comment and has not heard back.
Yahoo
6 hours ago
- Yahoo
Juggling Multiple High-Paying Jobs Is Risky Business. One Overemployment Veteran Says There's One Mistake That Can End It All
For some workers, one full-time job isn't enough. They're quietly taking on two, three or even more high-paying roles at the same time, a practice known as overemployment. But with bigger paychecks comes bigger risks, and one veteran says there's one slip-up that can ruin everything. Double-Booked Meetings Are The No. 1 Danger In a viral post on Reddit's r/overemployed forum, one contributor recently shared 20 rules from five years of working multiple jobs. They've been caught once before, and it was for the same mistake that takes down most people. Don't Miss: The same firms that backed Uber, Venmo and eBay are investing in this pre-IPO company disrupting a $1.8T market — 'Scrolling To UBI' — Deloitte's #1 fastest-growing software company allows users to earn money on their phones. You can "Avoid double meetings at ALL costs. It's the No. 1 way people get caught, including me. Use a sick day if needed," the poster wrote. The survival guide covers everything from using separate devices for each job to avoiding shared human resources systems. The poster recommends completely separate laptops, webcams, keyboards and phones for each role, instead of juggling accounts on a single machine. They also change notification sounds, block off calendar time to separate each job's hours, label devices to avoid mix-ups, and use preferred names so coworkers can't link profiles across companies. They caution against letting a company install device management on a personal phone, using a real headshot in Slack or Teams, which are popular workplace communication platforms, or sharing payroll logins between jobs. "If they want to manage your device, they should provide a separate phone," the post said. Trending: If there was a new fund backed by Jeff Bezos offering a ? LinkedIn And Legal Risks When it comes to LinkedIn, the advice is to create a burner account with no photo and strict privacy settings. Others in the thread disagreed, saying they've simply hibernated their main account without issue. One commenter noted, "You raise more red flags by having different LinkedIn accounts, with different versions of your name." The post also stresses that if an employer catches on, you should never admit to overemployment. "That lets them fire you immediately with no severance," it said. Instead, it suggests mentioning "tortious interference" and possibly contacting legal counsel. Other Survival Tactics The list also includes avoiding overlapping jobs that use the same HR systems, steering clear of multiple active health insurance plans that might prompt questions, and never listing both jobs on a mortgage application. For those facing a return-to-office mandate, documented accommodations like a therapist's note, caregiver responsibilities or religious practices can keep you in the comments offered their own tips—from working for companies in different time zones to create natural schedule gaps, to always prioritizing the original job, to using visual mute indicators to avoid being overheard on the wrong call. Despite the risks, the original poster remains confident the payoff is worth it. "The risk of a sudden layoff from a single job is FAR greater than the risk of being caught," they wrote. "With OE, a layoff or termination is a minor setback, leaving you with another income stream and a powerful financial cushion." Read Next: In a $34 Trillion Debt Era, The Right AI Could Be Your Financial Advantage — Imagn Images UNLOCKED: 5 NEW TRADES EVERY WEEK. Click now to get top trade ideas daily, plus unlimited access to cutting-edge tools and strategies to gain an edge in the markets. Get the latest stock analysis from Benzinga? APPLE (AAPL): Free Stock Analysis Report TESLA (TSLA): Free Stock Analysis Report This article Juggling Multiple High-Paying Jobs Is Risky Business. One Overemployment Veteran Says There's One Mistake That Can End It All originally appeared on © 2025 Benzinga does not provide investment advice. All rights reserved. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
6 hours ago
- Yahoo
The Crypto Payment Paradox: Why Nobody's Actually Buying Coffee With Bitcoin In 2025
Benzinga and Yahoo Finance LLC may earn commission or revenue on some items through the links below. Despite years of 'crypto is the future of money' rhetoric, a candid discussion among cryptocurrency enthusiasts on Reddit reveals the stark reality: most people still aren't spending their digital assets like traditional currency. While the infrastructure exists to buy everything from burritos to luxury cars with crypto, fundamental barriers continue to prevent mainstream adoption as a payment method. The Infrastructure Is There—But Is Anyone Using It? The good news for crypto believers is that spending options have expanded dramatically. Major retailers including Whole Foods, Starbucks (NASDAQ:SBUX), Home Depot (NYSE:HD), Microsoft Corporation (NASDAQ:MSFT), and luxury brands like Gucci now accept crypto payments through processors like Flexa and BitPay. Crypto debit cards from Coinbase Global Inc. (NASDAQ:COIN), and other exchanges allow users to spend digital assets 'as easy as a tap' at millions of merchants worldwide. Don't Miss: The same firms that backed Uber, Venmo and eBay are investing in this pre-IPO company disrupting a $1.8T market — 'Scrolling To UBI' — Deloitte's #1 fastest-growing software company allows users to earn money on their phones. Gift card platforms have become particularly popular bridges, enabling crypto holders to purchase everything from groceries to flights. Some users report successfully buying houses and cars after converting crypto to cash, while others highlight El Salvador as a rare example where Bitcoin functions as preferred everyday currency. The Dirty Secret: It's Not Really 'Crypto Commerce' Here's where the narrative gets complicated. Most crypto spending today doesn't involve true peer-to-peer digital currency transactions. Instead, crypto cards and payment processors typically convert digital assets to fiat currency instantaneously at the point of sale. Critics argue on Reddit that this is simply 'adding a crypto backend on top of the fiat system' for marketing purposes rather than genuine blockchain-based commerce. This technical distinction matters because it means merchants still receive traditional dollars, not cryptocurrency. The infrastructure resembles a complex currency exchange service more than the revolutionary payment system originally envisioned by Bitcoin's creators. Trending: If there was a new fund backed by Jeff Bezos offering a ? Three Major Barriers Killing Crypto Adoption Tax Complexity Remains King Every crypto transaction triggers a taxable event for capital gains purposes in most jurisdictions. Buying a coffee with Bitcoin means calculating and reporting the gain or loss on that specific portion of your holdings. This accounting nightmare encourages people to make lump-sum conversions to fiat rather than frequent small purchases. The 'Digital Gold' Mentality Many crypto holders view their assets as stores of value rather than spending money. Following Gresham's Law—that people spend 'bad money' and save 'good money'—investors prefer to spend depreciating dollars while hoarding appreciating Bitcoin. This psychological shift from currency to investment vehicle fundamentally changes user behavior. Volatility and Fees Still Bite While transaction costs have decreased, payment processors still charge 1%-2% fees comparable to credit cards. More importantly, Bitcoin's price volatility makes merchants hesitant to accept direct crypto payments due to settlement Stablecoin Exception Interestingly, stablecoins like USDC and USDT face fewer adoption barriers since they maintain dollar parity. Some users report successfully using stablecoins for international transfers and online purchases, suggesting these assets may represent crypto's true payment future rather than volatile tokens. Reality Check: Investment Asset, Not Daily Currency The honest assessment from the crypto community itself is telling: most view cryptocurrency primarily as 'an asset to invest in at this point,' not revolutionary payment technology. While enthusiasts predict mass adoption within 5-10 years, practical users recommend simply selling crypto for dollars when purchases are needed. This doesn't diminish crypto's value as a financial innovation—it just acknowledges that digital gold and everyday spending money serve different purposes in modern portfolios. Read Next: Kevin O'Leary Says Real Estate's Been a Smart Bet for 200 Years — Image: Shutterstock This article The Crypto Payment Paradox: Why Nobody's Actually Buying Coffee With Bitcoin In 2025 originally appeared on
