Six Hackers Break Bug Bounty Record, Earning Over US$1 Million Each on HackerOne


Bounty awards increased 65% on average as a quarter of all vulnerabilities reported are being classified as high to critical severity

HackerOne has announced that 6 individual hackers have earned over US$1 million dollars each from hacking. A bounty — or bug bounty — is a monetary award given to a hacker who finds and reports a valid security weakness to an organisation so it can be safely resolved. Thanks to these 6 hackers, 5,000 unique security flaws have been fixed, protecting millions of people.

In March 2019, HackerOne announced that Santiago Lopez, known as @try_to_hack, a 19-year-old hacker from Argentina, was the world’s first hacker to earn US$1 million with bug bounty programs. Now, Mark Litchfield (@mlitchfield) from the U.K., Nathaniel Wakelam (@nnwakelam) from Australia, Frans Rosen (@fransrosen) from Sweden, Ron Chan (@ngalog) from Hong Kong, and Tommy DeVoss (@dawgyg) from the U.S. joined the $1M hacker ranks by hacking for improved internet security.

“I am incredibly proud to see that my work is recognised and valued,” said 19 year old @try_to_hack, the world’s first hacker to earn US$1 million. “Not because of the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible.”

The news is underscored by findings published today in HackerOne’s 2019 Hacker-Powered Security Report which demonstrates the momentum observed in the industry. The report is based on 123,000+ unique resolved security vulnerabilities, 1,400+ customer programs and more than US$62 million in bounties earned by hackers from over 150 countries. Today, 6 of the 10 top banks in North America are working with HackerOne.

“Bug bounties have given me opportunities I never could have predicted going into it,” said @nnwakelam. “When I first started, the industry was in its infancy. Only a handful of companies invited hackers to find and share vulnerabilities. 6 years later – the space has changed dramatically. Bug bounties have given me the flexibility to work from anywhere in the world, forged connections with people within an industry that I respect, created a secondary income stream within my own life, and allowed me the opportunity to branch out and pursue other business ventures. I’m grateful to be one of the first people to make it to this milestone alongside my peers, and I urge anyone who is interested in pursuing this to recognise that the first step is starting – the opportunities are there if you want to take them.”

Every five minutes, a hacker reports a vulnerability. Every 60 seconds, a hacker partners with an organisation on HackerOne. That’s more than 1,000 interactions per day with hackers and companies or governments working towards a safer internet.

“I joined the wrong chat room when I was around 10 years old,” said hacker @dawgyg. “When I discovered bug bounty programs about 20 years later, I was finally able to use my curiosity for breaking things and standing up for what I believe in the name of defending organisations I believe in. Hitting that US$1 million milestone is a huge accomplishment and it feels amazing to know that the other five hackers and I have had such a huge impact. I hope our achievements will encourage other hackers to test their skills, become part of our supportive community and make the internet a much safer place.”

The opportunities for hackers to earn big has never been greater. The report also revealed hackers are finding more severe vulnerabilities than ever before. 25% of all resolved vulnerabilities were classified as high to critical severity in the past year alone. As a result, bounty payments are rising. The average bounty paid for critical vulnerabilities increased 48% over last year’s average across all industries to US$3,384; up from US$2,281. A 71% increase over the 2016 average of US$1,977. The most competitive programs today like Google, Microsoft, Apple and Intel offer individual bounty awards as high as US$1,500,000 for critical issues.

“Hacking can open doors to anyone with a laptop and curiosity about how to break things,” said @mlitchfield. “I hope our achievements will encourage other hackers, young and old, to test their skills, become part of our supportive community, rake in some extra $$$’s along the way and make the internet a much safer place for people.”

In total, hackers earned US$21 million in the past year, an increase of US$10 million over the year prior. Typically, hackers from the U.S., India, and Russia dominate earnings, collectively pulling in 36% of the total value of awarded bounties globally. However, the presence of Argentinian, Swedish, Australian and Hong Kong hackers in the top 6 earners demonstrates the global opportunities available. A top earning hacker on HackerOne can earn 40.6x the annual median wage in Argentina and, in Sweden, a hacker can earn 6.3x the annual median wage of the country.

“When I first started hacking, I did not expect to ever make it on the leaderboard,” said @ngalog. “I saw names like ‘Frans’ and ‘Mark’ shining on top of the leaderboard week after week, never thinking I’d be able to meet them or work with them, let alone compete with them, which is awesome. It was a great moment to hit that US$1 million milestone and be in such great company with the five others.”

The 6 millionaires came together with HackerOne and 100 fellow hackers in Las Vegas earlier this month for a live hacking event in Las Vegas — H1-702. Hackers earned US$1,902,668 for reporting over 1,000 security flaws in three days, evidence of rapid growth for professional hackers.