March 1, 2019

It pays to be good: Teen hacker bags $1m in bug bounties

By Robert Scammell

A teenager has become the first person to make $1m from bug bounties, a programme that rewards ethical hackers for finding security exploits and vulnerabilities in an organisation’s network.

Santiago Lopez, a 19-year-old from Argentina, has reported more than 1,600 security flaws to companies including Twitter, Verizon Media and private companies and government initiatives.

He has risen to the number one spot on HackerOne, a hacker-powered security platform on which over 1,200 organisations invite the hacker community to report security vulnerabilities in exchange for cash.

Lopez first joined the platform – which boasts more than 330,00 ethical hackers – in 2015 and goes by the handle @try_to_hack. He specialises in finding Insecure Direct Object Reference (IDOR) vulnerabilities, which criminal hackers can use to bypass authorisation and access resources such as databases directly.

“I do not have enough words to describe how happy I am to become the first hacker to reach this landmark,” said Lopez, who taught himself how to hack via online tutorials and blogs after being inspired by the film Hackers.

“I am incredibly proud to see that my work is recognised and valued. To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level.”

Days after Lopez reached the $1m landmark, fellow hacker Mark Litchfield joined the million dollar bug bounty club. He has helped organisations such as Starbucks, Dropbox and Rockstar Games.

Bug bounties: A lucrative earner

Although bug bounties have been around for decades, they are becoming an increasingly lucrative means for hackers to apply their talents for good. Those making a living from it earn on average 2.7 times more than the median average salary of a software engineer.

The average bug bounty payout is $2,041, according to the latest figures from HackerOne. In January 2018, Google awarded its largest ever bounty of $112,000 to a Chinese researcher.

“The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos.

“Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defence we have against cybercrime.

“This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”


Read more: PolySwarm to offer hackers cryptocurrency for discovering malware

Related Report
img
GlobalData Thematic Research
img
GlobalData Thematic Research