Millionaire milestones unveiled as HackerOne releases 2019 Hacker-Powered Security Report

Six hackers have now earned more than $1m in bug bounty payouts

Six hackers have officially crossed the $1 million bug bounty earnings threshold, HackerOne confirmed today.

Back in March, the San Francisco-based vulnerability disclosure platform announced that Santiago Lopez, a 19-year-old security researcher from Argentina, had become the world’s first hacker to earn $1 million through bug bounties.

Now, the UK’s Mark Litchfield, Nathaniel Wakelam from Australia, Frans Rosen from Sweden, Ron Chan from Hong Kong, and Tommy DeVoss from the US have joined the $1 million hacker ranks.

“Bug bounties have given me opportunities I never could have predicted going into it,” Wakelam said. “When I first started, the industry was in its infancy. Only a handful of companies invited hackers to find and share vulnerabilities.

“Six years later, the space has changed dramatically. Bug bounties have given me the flexibility to work from anywhere in the world, forged connections with people within an industry that I respect… and allowed me the opportunity to branch out and pursue other business ventures.”


Tommy DeVoss, who goes by the online handle @Dawgyg, said: “I joined the wrong chat room when I was around 10 years old.

“When I discovered bug bounty programs about 20 years later, I was finally able to use my curiosity for breaking things and standing up for what I believe in the name of defending organizations I believe in.

“Hitting that $1 million milestone is a huge accomplishment and it feels amazing to know that the other five hackers and I have had such a huge impact.”

The six bug bounty millionaires came together with HackerOne and 100 fellow hackers in Las Vegas earlier this month for the H1-702 live hacking event.

Over the three days of hacking, more than 100 security researchers earned $1.9 million for finding over 1,000 security flaws.

HackerOne hackers in Las Vegas

Hacker-powered security

The news that six hackers have now surpassed $1 million in bounty payouts comes as HackerOne releases its 2019 Hacker-Powered Security Report, a benchmark study of the bug bounty and vulnerability disclosure marketplace.

Built through the analysis of 120,000 security vulnerabilities that researchers disclosed to more than 1,400 organizations through HackerOne, the report explores how, where and why hackers and organizations are working together, as well as the influx of hacker-powered security programs by industry, location, engagement type, and real-world impact.

Among the key findings of the 2019 Hacker-Powered Security Report was that the average bounty paid for critical vulnerabilities totaled $3,384, up 48% on last year’s average of $2,280.

According to HackerOne, government and federal bug bounty programs had the strongest year-over-year industry growth, at 214%, followed by automotive (113%), telecommunications (91%), consumer goods (64%), and blockchain-based platforms (64%).

“2019 was a big year for hacker-powered security,” HackerOne said in a statement. “Every five minutes, a hacker reports a vulnerability. Every 60 seconds, a hacker partners with an organization on HackerOne.”

“Globally, the number of hacker-powered security programs has increased by over 30%. Latin America has seen the most growth in the past year, with 41% more programs compared to the previous year. “

RELATED School’s out: Meet the teen hackers swapping books for bugs