Meet Santiago Lopez, a 19-year-old, self-taught hacker from Argentina who has become the world’s first hacker to make $1 million from bug bounties.
Lopez — who goes by the handle @try_to_hack on the platform — started reporting security weaknesses to companies through HackerOne in 2015.
Since then he has uncovered over 1,600 security flaws and pocketed himself $1 million in earnings, according to a HackerOne release put out today.
His age is not unusual: a massive 47.7 percent of the 300,000-plus white hat hackers registered on HackerOne are 18-24-years-old, according to the company’s annual report.
That brings them home bounty earnings equivalent to $34,255 (£26,500) annually; lower than the average UK salary of £27,000. (And that’s a tiny minority of participants).
Many young security researchers in the UK say it can be incredibly frustrating getting payouts via bug bounty programmes.
Dylan Wheeler, a white hat hacker told Computer Business Review: “[Bounty programmes] don’t really pay. These examples are rarities. Lots of companies will just patch and say the vulnerability has already been reported, etc. One friend will make $4,000 once in a blue moon. That’s plenty to live off in INR (Indian rupees), but…”
He added: “Honestly, everyone seems to be shying away from bug bounties, we do the due diligence, responsible disclosures but are often ignored and left to either publish after 90 days or just pretend it doesn’t exist and wait for them to get breached.”
“We’re all pushing for a better standard, potentially an ISO standard that can be complied with regarding how to deal with bug bounties and security researchers, and provide greater protections for us too.”
HackerOne is booming however, with growing interest from around the world, it’s annual Hacker Report [pdf] — out today — shows and monthly signups growing every month through 2018, as white hats around the world sign up.
The San Francisco-based company, founded in 2012, says it has now paid out over $42 million to hackers, with payouts in 2018 more than doubling on 2017 (from $9.3 million to $19 million), with hackers from six African nations including Kenya participating for the first time. (Fifty-one percent of hackers signed up are from five countries however: India, the United States, Russia, Pakistan, and the United Kingdom.)
HackerOne says it has now paid out over $42 million dollars to hackers.
Their favourite target to attack, according to a survey in the annual report, is websites by a large margin.
Over 70 percent of surveyed hackers said their favorite types of product or platform to hack is websites, followed by APIs (6.8 percent), technology that stores their data (3.7 percent), Android apps (3.7 percent), operating systems (3.5 percent) and downloadable software (2.3 percent).
HackerOne: “Perception of Hackers is Changing”
Financial incentives aside, HackerOne describes submitted bug reports, personal interactions and public HackerOne profile activity as a “bellwether for hiring decisions — a practice encouraged and championed within HackerOne.”
“The perception of hackers is changing,” said Luke Tucker, HackerOne’s Senior Director of Community and Content.
“With the frequency of cyber attacks swelling to new highs, companies and government organizations are realizing that in order to protect themselves online, they need an army of highly skilled and creative individuals on their side — hackers. As more organizations embrace the hacker community, the safer customers and citizens become.”
HackerOne’s customers include the U.S. Department of Defense, Hyatt, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, and over 1,300 other organisations.
The popularity of the platform attests, in part, to the challenges of running vuln. disclosure in-house.
George Gerchow, Chief Security Officer at Sumo Logic started running an in-house bug bounty programme for his company in 2015, before switching to HackerOne.
As he earlier told Computer Business Review, doing it in-house raised three key challenges: the number of bug submissions that had to be verified; the need to organise a payment structure that was “fair and agile” enough and the stress on our DevSecOps team having to triage rate and score (CVSS) the bounties and prioritise remediation.
As he told us late last year: “We started running bug bounties for the following reasons: we were getting a large volume of threatening emails from ‘independent researchers’ claiming to find vulnerabilities and looking for crypto payment. It was distracting our team from working on other priorities. Now when we get one of those emails, we just invite them to join our bounty programme.”
He added: “Inviting people to try and break your service makes you more secure. By working through our bounty portal, the hackers, our DevSecOps team and our development teams can all identify and fix issues in an agile fashion.”