Bug bounty gets bigger, as a teenager makes his first million in bug bounty
Tomas Foltyn, security writer at ESET discusses how a ‘white hat’ from Argentina has come a long way since winning his first reward of US$50 in 2016.
A little over a year ago, we looked at how well bug hunting can pay. The tale of an Argentinian teenager now shows that sleuthing for security holes in code can be a lucrative pursuit.
Santiago Lopez, a 19-year-old from Buenos Aires, has become the first person to earn over US$1 million in rewards on the leading bug bounty platform provider HackerOne.
“I am incredibly proud to see that my work is recognized and valued. Not just for the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible,” says Lopez.
He adds that he’s “completely self-taught” and only took up the trade and joined HackerOne in 2015. It wasn’t until the following year when the teen, working under the alias ‘try_to_hack’, earned his first payout – US$50 for a software flaw that could lead to Cross-Site Request Forgery (CSRF) attacks.
And try he did, having since hunted down more than 1,670 code vulnerabilities in services from companies such as Verizon, Twitter and WordPress. This includes a flaw that could enable Server Side Request Forgery (SSRF) attacks, netting Lopez his single biggest cash reward – US$9,000.
What was at first an after-school effort has evolved into a job that takes up 6-7 hours of the teen’s time a day and that pays far more than the job of a typical software engineer in Buenos Aires.
“What interests me the most when looking for bugs is finding as many bugs as I can in a short period of time and trying to earn good bounty rewards for them. I know they say quality before quantity, but quantity is what I like,” he is quoted as saying.
Days after reaching the landmark figure, Lopez was joined in the million-dollar bug bounty club by Mark Litchfield, a well-known name in the industry. Indeed, Litchfield had a bit of a head start on Lopez, having pulled in US$500,000 in rewards back in 2016.
A bountiful year
Beyond announcing Lopez’s feat, HackerOne has also released its 2019 Hacker Report. The platform, which acts as a kind of middleman between companies and white hats, notes that white hats earned more than US$19 million in bounties in 2018 alone, which is almost equivalent to the US$24 million made by HackerOne members in the preceding five years.
Indeed, ever more and more people join the community. The number of HackerOne members has topped 300,000, which is nearly double the number a year ago. Bounty hunters from the United States and India account for almost one-third of the membership.
Nine out of 10 HackerOne members are younger than 35, with nearly one in two being 18-24 years old. Just like Lopez, most (81 percent) are self-taught, while only 6 percent have completed a formal class or certification on hacking.