While someone is stuck trying to debug a code, a self-made 19-year-old hacker has made over $1 million in his quest to find and report vulnerabilities in software and online services.
Santiago Lopez from Argentina, who operates under the moniker @try_to_hack, joined the bug bounty crowdfunding platform HackerOne in 2015. Since this year, Santiago has reported over 1,670 separate bugs which impact products offered by vendors including Verizon Media Company, Twitter, WordPress, and Automattic.
The self-taught hacker has shown what can be possible for white hat bug bounty hunters to achieve.
Lopez taught himself how to track down bugs, including some of the most well-paid vulnerabilities — such as Insecure Direct Object Reference (IDORS and Cross-Site Request Forgery (CSRF) security flaws — through Internet resources and YouTube videos.
Before he knew it, he was being paid for his work in both private and public bug bounty programs, starting with $50 for a CSRF security flaw and leading to Lopez’ largest payout of $9,000 for a Server Side Request Forgery (SSRF) vulnerability in a private program.
Lopez is now one of the top hackers in the HackerOne leaderboards in the 91st percentile for signal and 84th percentile for impact.
“I am incredibly proud to see that my work is recognized and valued,” the hacker says. “Not just for the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible.”
Lopez may have made his millions, but this does not mean the hacker plans to throw in the towel anytime soon.
“I’m sure that anyone who discovers bug bounty programs will soon too realize that it opens up new opportunities for both hackers and companies who are committed to security,” the hacker added.