HackerOne, the leading hacker-powered security platform, announced today that bug bounty hacker @try_to_hack is the first to surpass US$1 million in bounty awards for helping companies become more secure. A bug bounty is an award given to a hacker who reports a valid security weakness to an organization. Santiago Lopez started reporting security weaknesses to companies through bug bounty programs in 2015 on HackerOne. Lopez — who goes by the handle @try_to_hack — has reported over 1,600 security flaws to companies including Twitter and Verizon Media Company, as well as private corporate and government initiatives.
“I do not have enough words to describe how happy I am to become the first hacker to reach this landmark,” said Lopez. “I am incredibly proud to see that my work is recognized and valued. To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level.”
Lopez is a top ranked all time hacker on HackerOne’s leaderboard out of more than three hundred and thirty thousand hackers competing for the top spot. Hackers are invited to find weaknesses in the more than 1,200 technology companies, governments and enterprises that rely on HackerOne’s hacker community to safely report security vulnerabilities before they can be exploited by criminals. His specialty is finding Insecure Direct Object Reference (IDOR) vulnerabilities.
Like many hackers, Lopez is self-taught. He was first inspired to get started after seeing the movie Hackersand learned to hack by watching free online tutorials and reading popular blogs. In 2015, at 16-years-old, he signed up for HackerOne and earned his first bounty of US$50 months later. He chose his alias “try_to_hack” to keep himself motivated — he was determined to try to hack companies regardless of whether he knew he could succeed. He keeps the name today to remind him of how he started as a bug bounty hacker. Over the past three years of hacking after school and now full-time, he has earned nearly forty times the average software engineer salary in Buenos Aires on bug bounties alone.
“The entire HackerOne community stands in awe of Santiago’s work,” said HackerOne CEO Marten Mickos. “Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defense we have against cyber crime. This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago’s relentless work.”
Lopez was not alone in the race towards this bug bounty landmark. Days after Lopez surpassed US$1 million in bounty awards, Mark Litchfield — also known by his handle @mlitchfield — joined the ranks of the million dollar bug bounty hacker club. In 2016, Litchfield made history as the first hacker to earn over US$500,000 in bug bounties. To date, Litchfield has helped organizations including New Relic, Dropbox, Venmo, Yelp, Rockstar Games, Shopify and Starbucks resolve more nearly 900 security weaknesses.