A teenager has become the first person to make $1m from bug bounties, a programme that rewards ethical hackers for finding security exploits and vulnerabilities in an organisation’s network.

Santiago Lopez, a 19-year-old from Argentina, has reported more than 1,600 security flaws to companies including Twitter, Verizon Media and private companies and government initiatives.

He has risen to the number one spot on HackerOne, a hacker-powered security platform on which over 1,200 organisations invite the hacker community to report security vulnerabilities in exchange for cash.

Lopez first joined the platform – which boasts more than 330,00 ethical hackers – in 2015 and goes by the handle @try_to_hack. He specialises in finding Insecure Direct Object Reference (IDOR) vulnerabilities, which criminal hackers can use to bypass authorisation and access resources such as databases directly.

“I do not have enough words to describe how happy I am to become the first hacker to reach this landmark,” said Lopez, who taught himself how to hack via online tutorials and blogs after being inspired by the film Hackers.

“I am incredibly proud to see that my work is recognised and valued. To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Days after Lopez reached the $1m landmark, fellow hacker Mark Litchfield joined the million dollar bug bounty club. He has helped organisations such as Starbucks, Dropbox and Rockstar Games.

Bug bounties: A lucrative earner

Although bug bounties have been around for decades, they are becoming an increasingly lucrative means for hackers to apply their talents for good. Those making a living from it earn on average 2.7 times more than the median average salary of a software engineer.

The average bug bounty payout is $2,041, according to the latest figures from HackerOne. In January 2018, Google awarded its largest ever bounty of $112,000 to a Chinese researcher.

“The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos.

“Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defence we have against cybercrime.

“This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”


Read more: PolySwarm to offer hackers cryptocurrency for discovering malware