A teen in Argentina has become the first bug bounty hacker to become a millionaire. He was self-taught. Interestingly however, the hacking was with the aim of creating a safer internet. Legal hacking? What is it and how does it work?
Santiogo Lopez from Argentina goes by the handle @try_to_hack. This programme started through his reporting of security weaknesses to companies. So called ‘bug bounty’ programmes through HackerOne has allowed him to report more than 1,6000 security flaws to organisations. This is not just for local Argentinian companies. Lopez has aided the likes of Twitter, Verizon Media Company, numerous private organisations and even government bodies.
What is a ‘bug bounty’?
When I first came across this story, I had no idea that legal hacking was on a massive scale, let alone what a ‘bug bounty’ was. However, it is a reward which is given to a hacker who reports an organisation’s valid security weakness.
Given the increased threat of attacks, worry over GDPR and data generally, it is unsurprising that this is a popular way for organisations to test their cyber-security.
What sort of scale are we looking at?
I’m sure that you are like me and wondering how a self-taught hacker reaches millionaire status. My mind went to how many organisations he must have to hack. Also, who is employing him?
Over 1,200 organisations have partnered with HackerOne. Therefore, clientele includes; the US Department of Defence, Google, Twitter, Nintendo, Starbucks, Dropbox, Intel. Wow. Lopez has found more than 100,000 vulnerabilities and award in excess of $45 million in bug bounties.
“To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level,” said Lopez.
Who are HackerOne?
Lopez is not the only hacker under HackerOne. In fact, he is one of 330,000 hackers. HackerOne is a private bug bounty platform that connects businesses to cyber-security researchers.
Hackers through HackerOne’s main aim is to report security vulnerabilities before they can be exploited by criminals.
“The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos. “Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world”
According to the latest report, HackerOne’s earnings in 2018 reached $19 million – from $9.3 million in 2017. There is clearly a demand. They also have a location to brag about: there are contributors in more than 150 countries.
How do you learn how to hack?
Most hackers are unsurprisingly self-taught. Access to this information is (more surprisingly) easy with free online tutorials, blogs and pop-culture.
Lopez’s story is certainly an inspiring one. When he was 16, he joined HackerOne. In the past three years, Lopez was hacking after school, now full-time earning nearly 40 times the average software engineer salary in Argentina.
Still not sure where to look for legal hacking? HackerOne offers Hacker101 services (a free collection of videos, resources and hands-on activities) to allow teaching for bug bounty hunters.
How many people know about this?
According to HackerOne, 64% of US citizens understand that not all hackers act maliciously. Interest in the community is also growing. I almost feel embarrassed I did not understand the scale of this before.
In terms of who learns how to hack:
- 41% learn to contribute to their career
- 13.5% learn to have fun
- 14.26% learn for the money.
I still find it strange to use the word ‘hacking’ in a positive sense. What are your thoughts?
My perceptions about the potential benefits of these hackers has certainly changed. It seems that to increase security for individuals, organisations may have to embrace this ‘legal hacking’ community.
Would you agree with General Motors that “hackers have become an essential part of our security ecosystem”?
Additionally, would you ever be tempted to use HackerOne?
Please let me know your thoughts below!