Argentinian Teenager Becomes World’s First US$1 Million Bug Bounty Hacker on HackerOne

Photo by Irvan Smith on Unsplash

Singapore, @mcgallen #microwireinfo, March 4, 2019 – HackerOne, the leading hacker-powered security platform, announced today that bug bounty hacker @try_to_hack is the first to surpass US$1 million in bounty awards for helping companies become more secure.

A bug bounty is an award given to a hacker who reports a valid security weakness to an organization. Santiago Lopez started reporting security weaknesses to companies through bug bounty programs in 2015 on HackerOne. Lopez — who goes by the handle @try_to_hack — has reported over 1,600 security flaws to companies including Twitter and Verizon Media Company, as well as private corporate and government initiatives.

I do not have enough words to describe how happy I am to become the first hacker to reach this landmark,” said Lopez. “I am incredibly proud to see that my work is recognized and valued. To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level.”

Lopez is a top ranked all time hacker on HackerOne’s leaderboard out of more than three hundred and thirty thousand hackers competing for the top spot. Hackers are invited to find weaknesses in the more than 1,200 technology companies, governments and enterprises that rely on HackerOne’s hacker community to safely report security vulnerabilities before they can be exploited by criminals. His specialty is finding Insecure Direct Object Reference (IDOR) vulnerabilities.

Like many hackers, Lopez is self-taught. He was first inspired to get started after seeing the movie Hackers and learned to hack by watching free online tutorials and reading popular blogs. In 2015, at 16-years-old, he signed up for HackerOne and earned his first bounty of US$50 months later. He chose his alias “try_to_hack” to keep himself motivated — he was determined to try to hack companies regardless of whether he knew he could succeed. He keeps the name today to remind him of how he started as a bug bounty hacker. Over the past three years of hacking after school and now full-time, he has earned nearly forty times the average software engineer salary in Buenos Aires on bug bounties alone.

The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos. “Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defense we have against cyber crime. This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”

Lopez was not alone in the race towards this bug bounty landmark.

Days after Lopez surpassed US$1 million in bounty awards, Mark Litchfield — also known by his handle @mlitchfield — joined the ranks of the million dollar bug bounty hacker club. In 2016, Litchfield made history as the first hacker to earn over US$500,000 in bug bounties. To date, Litchfield has helped organizations including New Relic, Dropbox, Venmo, Yelp, Rockstar Games, Shopify and Starbucks resolve more nearly 900 security weaknesses.

For more on Santiago Lopez’s journey to becoming the top earning hacker on HackerOne, read the latest Q&A with him here. To get involved and start hacking, HackerOne is now offering Hacker101— a free collection of videos, resources, and hands-on activities that will teach everything needed to operate as a bug bounty hunter. To join the world’s largest hacker community who, in 2018 alone, earned more than US$19M in bounty awards for their contributions, sign up for HackerOne here.

Santiago Lopez, HackerOne ethical hacker
Santiago Lopez

Q&A with Santiago Lopez

Excerpt: 19-year-old Argentinian @try_to_hack just made history as the first to earn over $1,000,000 in bounty awards on HackerOne. We connect with him to learn more about how he reached this impressive milestone. We hope you are just inspired as we are! 19-year-old Argentinian @try_to_hack just made history as the first to earn over US$1,000,000 in bounty awards on HackerOne. Since joining HackerOne in 2015, Santiago has reported over 1,670 valid unique vulnerabilities to companies such as Verizon Media Company, Twitter, WordPress, Automattic, and HackerOne, as well as private programs. He consistently tops the HackerOne leaderboards, with the 91st percentile for signal, 84th percentile for impact, 2nd overall on the platform, and over 37,000+ reputation!

As a self-taught hacker, primarily using blogs and YouTube to expand his skills, Santiago shows us all that learning to hack is not reserved for the traditional classroom.

We’re thrilled for Santiago and grateful for the more than 1,670 vulnerabilities he reported that are now resolved. We connected with him to learn more about how he reached this impressive milestone. We hope you are just as inspired as we are!

Q: How does it feel to be the first million-dollar bug bounty hacker?
SL: I do not have enough words to describe how happy I am to become the first hacker to reach this landmark. I am incredibly proud to see that my work is recognized and valued. Not just for the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible.

Q: What made you want to be a hacker?
SL: I’ve always liked computers and programming ever since I was a little kid, but I never knew anything about hacking. I didn’t even know it existed until I saw the movie “Hackers”, which opened up a whole new world for me. As I learned more, I realized that I was naturally drawn to the types of challenges and problem-solving opportunities associated with hacking. The best was when I discovered the existence of bug bounty programs such as HackerOne. It allowed me to do what I like to do, earn money when I wanted to, where I wanted to, and at the same time making the world a bit safer. It was incredible!

Q: How did you learn to hack and when did you start?
SL: In 2015, when I was 16. I am completely self-taught. I learned to hack thanks to the Internet. I watched online tutorials and also read a lot about hacking. This is how I became the hacker that I am today. It took me a long time to find my first vulnerability, but with patience and effort, it can definitely be achieved.

Q: How did you find bug bounty programs?
SL: On the Internet and HackerOne.

Q: What types of bugs and programs are you most interested in?
SL: I’m mostly interested in programs that pay. I care less about whether they are private or public, and care more about the scope of the bug bounty program. What interests me the most when looking for bugs is finding as many bugs as I can in a short period of time and trying to earn good bounty rewards for them. I know they say quality before quantity, but quantity is what I like.

Q: When did you earn your first bounty and for what type of bug?
SL: My first bounty payout was $50 for a CSRF that I found back in 2016 when I was 17. At the time I was not very interested in the size of the bounty. I was just so happy and excited to earn my first reward on my own.

Q: What was the largest bounty you’ve earned and what was it for?
SL: US$9K for a SSRF in a private program.

Q: What was the first thing you bought with your bug bounty money?
SL: A new computer. My computer was old and I knew that a faster computer would help me make my hacking much faster and more efficient.

Q: When do you like to hack mostly, what time of day?
SL: A bit in the afternoon and evening, but preferably at night. I see hacking as a normal job, so I tend to hack between 6 to 7 hours per day.

Q: What is your favorite type of vulnerability to find and why?
SL: IDORs [or Insecure Direct Object Reference]. It is a vulnerability that is very easy for me to find and larger bug bounty programs often pay well for them.

Q: Your user name is “try to hack” — how did you come up with that name? As the first million-dollar hacker, maybe now you can be “I hack” :)
SL: In the beginning, my goal was to try to hack companies but I wasn’t so sure I would succeed. That’s why “try_to_hack” seemed like a very good name at that moment. However, I still like it and I will not change it because it reminds me of how I first started.

Q: What is the hacker community like in Argentina? Are your friends hackers too? Do you hack with other people?
SL: Unfortunately, I have not had the chance to meet other hackers in Argentina but I’m sure there are many. None of my friends are hackers. I like to hack on my own. I’m interested in socializing with other hackers to exchange knowledge but finding bugs on my own is quite exciting.

Q: Do you plan to keep hacking with bug bounty programs?
SL: I’m sure I’ll continue hacking with bug bounty programs. It is one of the most interesting things I have discovered in my life. I’m sure that anyone who discovers bug bounty programs will soon too realize that it opens up new opportunities for both hackers and companies who are committed to security.

Q: Do your friends and family know you are a hacker? How do people react when you tell them you are a hacker — and one of the best in the world at that?
SL: Yes, my friends and family know that I am a hacker. The first time I told them, they could not believe it. They viewed the hacker as a bad person who robbed people. They did not think it was possible that a hacker could be good and make money legally. After spending a great deal of time explaining this to my friends and family, they finally started to believe it and were super happy for my success.

Q: Anything else you want to add?
SL: I want to thank HackerOne for celebrating my achievement, I really appreciate it. Hope more bounties will come. HackerOne is the best bug bounty platform without a doubt, and any hacker/company should use it, and I’m sure there won’t be any regrets :)

About HackerOne
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, Hyatt, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,200 other organizations have partnered with HackerOne to find over 100,000 vulnerabilities and award over US$43M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore.

###