A 19-year-old white hat that goes by the handle @try_to_hack became the first to surpass $1 million in bounty awards on the HackerOne platform.
The Argentinian researcher, whose real name is Santiago Lopez, started reporting security weaknesses to companies in 2015 on HackerOne, when he was 16. According to the platform, he has since reported over 1,600 security flaws to a range of companies, including Twitter and Verizon Media Company, as well as private corporate and government initiatives.
“I do not have enough words to describe how happy I am to become the first hacker to reach this landmark,” Lopez said in a media statement. “I am incredibly proud to see that my work is recognized and valued. To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level.”
Lopez is the all-time top-ranked hacker on HackerOne’s leaderboard, out of more than 330,000 hackers competing for the top spot. His specialty is finding Insecure Direct Object Reference (IDOR) vulnerabilities.
HackerOne noted in a recent blog that Lopez earned his first bounty of $50 when he was still 16. Since then, while hacking after school and now full-time, he has earned nearly forty times the average software engineer salary in Buenos Aires on bug bounties alone, it said.
“The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos, in a statement. “Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defense we have against cybercrime. This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”
The news comes as HackerOne releases its 2019 Hacker Report, which found that its ethical hacker community has doubled year-over-year (to the aforementioned 330,000) and that participants earned $19 million in bounties in 2018, nearly matching the total bounties paid out in the previous six years combined since the HackerOne platform launched.
The report also found that while India, the United States, Russia, Pakistan and the United Kingdom are the top locations where hackers reside, representing over 51 percent of the community, six African countries had first-time hacker participation in 2018.
Hackers from India and the U.S. alone account for 30 percent of the total community – but notably, that’s a shift from 2018, when those two countries claimed 43 percent, indicating increasing globalization in the white-hat arena.
Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.