One white-hat hacker from Argentina has become the first known bug bounty millionaire.
Santiago Lopez (who has the apt Twitter handle @try_to_hack) began hacking in 2015. Inspired by the movie “Hackers” (seriously), Lopez taught himself how to hack by watching online tutorials. Since, he’s reported over 1,600 security flaws to all kinds of companies and government agencies.
Lopez made his fortune via HackerOne, a sort of freelance website for hackers. Anyone can work as a hacker via the site, and companies leverage it to expose weaknesses. (For instance, a company working on a self-driving car may think its firmware is secure, but nonetheless offer a bounty to check for remote-access vulnerabilities.)
HackerOne CEO Marten Mickos says: “The entire HackerOne community stands in awe of Santiago’s work. Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defense we have against cybercrime. This is a fantastic milestone for Santiago, but much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”
So how did Lopez get so wealthy? It may have been by tackling flaws many other hackers overlook. The million-dollar threshold was crossed with roughly 1,600 filings, with an average payout of about $625. While it’s unclear what companies paid out in terms of bounties, this average dollar amount falls in the low end of the spectrum for GitHub’s bug bounty program; it’s actually about the least you can make via GitHub’s hacker program.
In a study of its hacker userbase last year, HackerOne found the collective had submitted over 78,000 vulnerability reports to about 1,000 companies. At the time, it said: “Organizations remain vastly underprepared for effective discovery, communication, remediation, and disclosure of vulnerabilities, as 93 percent of the Forbes Global 2000 list do not have a policy to receive, respond, and resolve critical bug reports submitted by the outside world.”
Case in point: Spectre and Meltdown. These two PC-crippling vulnerabilities were unique to Intel hardware, which caused the chip-maker to expand its own bug bounty program; before those two vulnerabilities were exposed, Intel’s program was invite-only. After these incidents, Intel made sure any hacker could stress-test and report directly to the company.
Other firms, such as Uber, use bug bounty programs with large payouts to attract talent. In 2016, it said any hacker who discovered a flaw with how Uber handled personal data or could remotely execute code on a production server would earn a $10,000 flat fee.
Then there’s Apple, which has no bug bounty program for macOS. Recently, a hacker named Linus Henze discovered a vulnerability that could expose personal information and passwords via a Keychain exploit. He flagged it to Apple, which asked for him to send along the details of his discovery. When he asked to be compensated for his work, Apple fell silent. Henze eventually caved about the payout, but that was a stress-test for macOS that Apple is lucky to have escaped unscathed.