Asia's Source for Enterprise Network Knowledge

Monday, May 27th, 2019


Teenager becomes world's first US$1M bug bounty hacker on HackerOne

First iOS trojan exploiting Apple DRM design flaws infects any iOS device

HackerOne, a hacker-powered security platform, announced that bug bounty hacker @try_to_hack is the first to surpass US$1 million in bounty awards for helping companies become more secure. A bug bounty is an award given to a hacker who reports a valid security weakness to an organization. Santiago Lopez started reporting security weaknesses to companies through bug bounty programs in 2015 on HackerOne. Lopez — who goes by the handle @try_to_hack — has reported over 1,600 security flaws to companies including Twitter and Verizon Media Company, as well as private corporate and government initiatives.

The successful conclusion of the latest Government Bug Bounty Programme (GBBP), part of the Singapore Government’s ongoing initiative to build a secure and resilient Smart Nation. During the three-week hacking challenge, more than 400 hackers globally were invited to look for security weaknesses in the Singapore Government’s digital assets. As a result, hackers earned US$11,750 in exchange for reporting 26 valid security weaknesses to GovTech so they could be safely fixed. Through their bug bounty programme Singapore is improving the security of its internet-facing government systems with help from hackers.

The GBBP ran from 27 December 2018 to 16 January 2019 and welcomed 400 ethical hackers to test five internet-facing government systems. Of the 26 valid vulnerabilities reported through the GBBP on HackerOne, seven were considered low severity, 18 were medium severity, and one was high severity. One-quarter of all participating hackers and seven out of the top 10 hackers who earned bounties were from Singapore. Following these successful programs, GovTech and CSA plan to expand the next edition of the GBBP to include more Government internet-connected systems and websites.

“National security cannot exist without cybersecurity," said Marten Mickos, CEO of HackerOne. "The Singapore Government has fully realized this. They are governmental pioneers in safeguarding vital internet connected systems with the help of an army of over 300,000 ethical hackers. They realize that bug bounty programs allow us to bring the best minds together to counter the risks of today’s cyber environment.”

This is the Singapore government’s second successful bug bounty programme with industry leader HackerOne, following the first bug bounty programme by the Singapore Ministry of Defence (MINDEF). By bringing together a community of cyber defenders who share the common goal of developing a safe and resilient cyberspace, the GBBP builds collective ownership over the cybersecurity of Government systems and websites, which is vital to achieve Singapore’s Smart Nation goals.

“I do not have enough words to describe how happy I am to become the first hacker to reach this landmark,” said Lopez. “I am incredibly proud to see that my work is recognized and valued. To me, this achievement represents that companies and the people that trust them are becoming more secure than they were before, and that is incredible. This is what motivates me to continue to push myself and inspires me to get my hacking to the next level.”

Lopez is a top ranked all time hacker on HackerOne’s leaderboard out of more than three hundred and thirty thousand hackers competing for the top spot. Hackers are invited to find weaknesses in the more than 1,200 technology companies, governments and enterprises that rely on HackerOne’s hacker community to safely report security vulnerabilities before they can be exploited by criminals. His specialty is finding Insecure Direct Object Reference (IDOR) vulnerabilities.

Like many hackers, Lopez is self-taught. He was first inspired to get started after seeing the movie Hackersand learned to hack by watching free online tutorials and reading popular blogs. In 2015, at 16-years-old, he signed up for HackerOne and earned his first bounty of US$50 months later. He chose his alias "try_to_hack" to keep himself motivated — he was determined to try to hack companies regardless of whether he knew he could succeed. He keeps the name today to remind him of how he started as a bug bounty hacker. Over the past three years of hacking after school and now full-time, he has earned nearly forty times the average software engineer salary in Buenos Aires on bug bounties alone.

“The entire HackerOne community stands in awe of Santiago's work,” said HackerOne CEO Marten Mickos. “Curious, self-taught and creative, Santiago is a role model for hundreds of thousands of aspiring hackers around the world. The hacker community is the most powerful defense we have against cyber crime. This is a fantastic milestone for Santiago but still much greater are the improvements in security that companies have achieved and keep achieving thanks to Santiago's relentless work."

Lopez was not alone in the race towards this bug bounty landmark. Days after Lopez surpassed US$1 million in bounty awards, Mark Litchfield — also known by his handle @mlitchfield — joined the ranks of the million dollar bug bounty hacker club. In 2016, Litchfield made history as the first hacker to earn over US$500,000 in bug bounties. To date, Litchfield has helped organizations including New Relic, Dropbox, Venmo, Yelp, Rockstar Games, Shopify and Starbucks resolve more nearly 900 security weaknesses.

To get involved and start hacking, HackerOne is now offering Hacker101— a free collection of videos, resources, and hands-on activities that will teach everything needed to operate as a bug bounty hunter. To join the world’s largest hacker community who, in 2018 alone, earned more than US$19M in bounty awards for their contributions, sign up for HackerOne here.

HackerOne was selected to manage the bug bounty programme because of its largest credentialled global ethical hacker community and proven results with MINDEF and proven track record of success with governments globally. GovTech and MINDEF join government agencies like the U.S. Department of Defense, U.S. General Service Administration, and the European Commission who partner with HackerOne to find their critical security vulnerabilities with help from the global hacker community.