At 19, Santiago Lopez is already counting earnings totaling over USD 1 million from reporting security vulnerabilities through vulnerability coordination and bug bounty program HackerOne. He's the first to make this kind of money on the platform.

In 2015 when he was 16-years old, Lopez started to learn about hacking. He is self-taught, his hacker school being the internet, where he watched and read tutorials on how to bypass or defeat security protections.

Two years to get to $1M in bounties

The rewards came a year later when he got a $50 payout for a cross-site request forgery (CSRF) vulnerability. His largest bounty was $9,000, for a server-side request forgery (SSRF).

He spent his first bug bounty money on a new computer, and as he accumulated more in rewards, he moved to cars.

At the moment, he has a record of 1676 distinct vulnerabilities submitted for online assets belonging to big-name companies like Verizon, Automattic, Twitter, HackerOne, private companies, and even to the US government. Lopez ranks second on HackerOne.

A hacker's work week, tools and experience

In 2018, the researchers on HackerOne earned over $19 million in bounties; the amount is a big jump from the more than $24 million paid in the previous five years. However, the goal of the program is to reach $100 million by the end of 2020.

The recent report from the platform shows that there are over 300,000 registered hackers that submitted more than 100,000 valid vulnerabilities.

Most of the hackers (35.7%) spend up to 10 hours on average per week looking for bugs. A quarter of them works between 10 and 20 hours every week.

According to the survey, the researchers with plenty of experience in cybersecurity, over 21 years, represent the smallest percentage. The majority of the hackers, 72.3% have between one and five years of the experience.

Over 72% of the hackers surveyed by HackerOne for the report look into website security and 6.8% research APIs and technology that holds its own data. The favorite tool of the trade is Burp Suite for testing web apps.



Making money, learning the ropes, being challenged and having fun are the top reasons for the work of the researchers submitting bugs via HackerOne, while bragging rights fall in the last place.

HackerOne's 2019 report also shows that cross-site scripting (XSS) is the preferred attack method, followed by SQL injection. The full report is available here.