Sergey Nivens - Fotolia
Nineteen-year-old Santiago Lopez, who goes by the handle @try_to_hack, has become the world’s first hacker to make $1m from hacking legally.
He started reporting security weaknesses to companies through HackerOne bug bounty programmes in 2015, and has since reported more than 1,600 security flaws to organisations, including Twitter and Verizon Media Company, as well as private corporate and government initiatives.
A bug bounty is an award given to a hacker who reports a valid security weakness to an organisation, and is becoming a popular way for organisations to identify cyber attack vulnerabilities.
More than 1,200 other organisations – among them the US Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel and the CERT Coordination Center – have partnered with HackerOne to find more than 100,000 vulnerabilities and award in excess of $45m in bug bounties.
However, according to bug bounty pioneer and CEO of Luta Security, Katie Moussouris, although targeted bug bounties have a role to play in cyber security, they are not a “silver bullet”, and run the risk of wiping out talent pipelines if poorly implemented, by providing incentives for people with cyber security skills to work outside organisations in pursuit of bounties.
Lopez said he was proud to see his work recognised and valued. “To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level,” he said.
Lopez is a top-ranked hacker on HackerOne’s leaderboard, out of more than 330,000 hackers competing for the top spot. His specialty is finding insecure direct object reference (IDOR) vulnerabilities.
Through HackerOne, hackers are invited to find weaknesses in the more than 1,200 technology companies, governments and enterprises that rely on HackerOne’s community to report security vulnerabilities before they can be exploited by criminals.
Learning to hack
Like many hackers, Lopez is self-taught. He was first inspired by the 1995 film Hackers and learned to hack by watching free online tutorials and reading popular blogs.
In 2015, when he was 16, Lopez joined HackerOne and earned his first bounty of $50 months later. He chose his alias, try_to_hack, to keep himself motivated.
In the past three years, Lopez has been hacking after school, and now full-time, earning nearly 40 times the average software engineer salary in Buenos Aires.
“The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos. “Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world.
Marten Mickos, HackerOne
“The hacker community is the most powerful defence we have against cyber crime. This is a fantastic milestone for Santiago, but much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”
Just days after Lopez surpassed $1m in bounty awards, Mark Litchfield, known by the handle @mlitchfield, also joined the ranks of the million-dollar bug bounty hacker club.
In 2016, Litchfield made history as the first hacker to earn over $500,000 in bug bounties. To date, Litchfield has helped organisations including New Relic, Dropbox, Venmo, Yelp, Rockstar Games, Shopify and Starbucks resolve nearly 900 security weaknesses.
HackerOne is now offering Hacker101, a free collection of videos, resources and hands-on activities that will teach everything needed to operate as a bug bounty hunter.
According to the organisation’s latest annual Hacker Report, HackerOne has now paid out more than $42m to hackers for 93,000 resolved security vulnerabilities.
Earnings for 2018 alone totalled $19m, up from just $9.3m in 2017, which shows that the hacker-powered security market has more than doubled in the space of a year.
HackerOne contributors are located in more than 150 countries, with most currently in India, the US, Russia, Pakistan and the UK, accounting for more than half of the HackerOne community.
However, the report said the proportion of hackers in India and the US had dropped from 43% in 2018 to 30%, and six African countries were now represented, demonstrating increasing globalisation among HackerOne’s members.
Luke Tucker, HackerOne
“The perception of hackers is changing,” said Luke Tucker, senior director of community and content at HackerOne. “With the frequency of cyber attacks swelling to new highs, companies and government organisations are realising that to protect themselves online, they need an army of highly skilled and creative individuals on their side – hackers. As more organisations embrace the hacker community, the safer customers and citizens become.”
According to HackerOne, nearly two thirds of US citizens (64%) now recognise that not all hackers act maliciously, and as a result, interest in joining the hacker community is growing, but the motivation to join is not only bug bounties.
Nearly 41% begin hacking to learn and contribute to their career and personal growth, and nearly as many hack to have fun (13.53%) as those who do it for the money (14.26%), the report said.
Read more about hacking
- Google Play bug bounty hunts RCE vulnerabilities.
- Bug bounties not a silver bullet, Katie Moussouris warns.
- There needs to be greater understanding between lawmakers and technologists to ensure regulations do not have unintended consequences, says a US computer security researcher and bug bounty pioneer.
- Most infosec professionals would trust hacker-tested products.