A 19-year-old has made over $1 million in his quest to find and report vulnerabilities in software and online services.
Santiago Lopez from Argentina, who operates under the moniker @try_to_hack, joined the bug bounty crowdfunding platform HackerOne in 2015. Since this year, Santiago has reported over 1,670 separate bugs which impact products offered by vendors including Verizon Media Company, Twitter, WordPress, and Automattic.
The self-taught hacker has shown what can be possible for white hat bug bounty hunters to achieve.
See also: Cloudflare expands government warrant canaries in transparency bid
Lopez taught himself how to track down bugs, including some of the most well-paid vulnerabilities — such as Insecure Direct Object Reference (IDORS and Cross-Site Request Forgery (CSRF) security flaws — through Internet resources and YouTube videos.
Before he knew it, he was being paid for his work in both private and public bug bounty programs, starting with $50 for a CSRF security flaw and leading to Lopez’ largest payout of $9,000 for a Server Side Request Forgery (SSRF) vulnerability in a private program.
Lopez is now one of the top hackers in the HackerOne leaderboards in the 91st percentile for signal and 84th percentile for impact.
“I am incredibly proud to see that my work is recognized and valued,” the hacker says. “Not just for the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible.”
Also: Android security program has helped fix over 1M apps in Google Play CNET
Lopez may have made his millions, but this does not mean the hacker plans to throw in the towel anytime soon.
“I’m sure that anyone who discovers bug bounty programs will soon too realize that it opens up new opportunities for both hackers and companies who are committed to security,” the hacker added.
Alongside the case study, HackerOne also released the firm’s 2019 Hacker Report. Based on a survey of 3667 bug bounty hunters on the platform, the research states that over $42 million to hackers over the duration of its inception, and $19 million of this amount was earned in 2018.
Also: Software vulnerabilities are becoming more numerous, less understood TechRepublic
In total, 81 percent of those surveyed said they were self-taught; and 90 percent of hackers are under the age of 35, with 47 percent falling into the 18 – 24 category.
Websites appear to be the favorite option for bug bounty hunters. Over 70 percent of those surveyed said domains were their preferred subject for bug hunting, followed by APIs — 6.8 percent — data storage technology — 3.7 percent — Android applications, operating systems, and downloadable software.