The Argentinian hacker reveals his methods behind the money-making

Santiago Lopez on his route to becoming the world's first bug bounty millionaire

Huge payouts for critical security flaws often steal the headlines, but the world’s first bug bounty millionaire captured the media’s attention via a less obvious route.

Santiago Lopez, who was only 19 when he reached the milestone in February 2019, attributes his success to a prodigious work ethic and balancing a reward’s size against the time it takes to earn it.

Lopez now sits second on HackerOne’s all-time leaderboard, despite his highest bounty to date being dwarfed by the enormous rewards on offer through programs operated by the likes of Facebook, Sony PlayStation, and Apple.

Buenos Aires-based Lopez, who earned his first bug bounty aged 16 and has since scored successes with Twitter, Uber, and Airbnb, tells The Daily Swig the secrets behind his ability to outperform the bulk of bug hunters across the globe.


How did it feel to become the first bug bounty millionaire at such a young age?

I am still so grateful to have become the first hacker to reach this landmark and it is honouring to see my work be recognised and valued.

I’m most proud though that companies and the people that trust them are more secure than they were before as a result of my work. This motivates me to continue to push myself to take my hacking to the next level.


In what ways has your new-found wealth changed your life?

In many ways. What I appreciate the most is the pleasure of being able to help my family as they deserve it.

Being able to find a wealthy life makes me very grateful for what I have, especially in the country where I come from where young people [rarely] have the [kind of] opportunity that I [have had].


RECOMMENDED ‘I thought it was a complete fluke’ – Katie Paxton-Fear on her bug bounty baptism and why AI will never fully replace security researchers


What was the biggest bounty you’ve ever earned and for what bug?

The biggest bounty I have ever earned was $9k for an SSRF [Server-side Request Forgery flaw] in a private program.

What interests me the most when looking for bugs is finding as many bugs as I can in a short period of time and getting paid well for them. Some people say, “quality before quantity” – but quantity is what I like!


What are the main reasons for your success, do you think? What makes you see bugs that others don’t? Is it your methods, do you put in more hours? Or is it simply an innate talent for hacking?

I generally spend between six and seven hours each day hacking, which is more than most ethical hackers.

When looking for bugs I always look for less severe ones – I’m not a fan of critical bugs. My target is to find the [highest] value bugs I can in the least amount of time. I consider it high value if the program is rewarding between $500-$2k for each.


Santiago Lopez and fellow security bug bounty huntersLopez and his fellow HackerOne bug hunters 


In a previous interview, you stated that your specialty is finding Insecure Direct Object Reference (IDOR) vulnerabilities. Why is this such an area of interest?

I like these vulnerabilities as they are easy to find, and most big programs pay very well for them. My focus is maximizing profits for my time and searching for these is the best way to do that for me.


Read more of the latest bug bounty news


Are there any other types of bugs that you’re particularly interested in/good at, and why?

Besides having a taste for IDORs, other vulnerabilities that appeal to me are XSS (Cross-Site Scripting), permission model issues, or SSRF. I like these attacks because they are very easy to find and most companies pay a lot for them.


What are the most interesting and/or impactful bugs you have discovered?

I’ve had the opportunity to find a lot of interesting IDORs in my career.

The most interesting ones allowed me to delete any user created by the affected company. Other ones allowed me to edit critical settings of the company without authorization.


What kind of programs do you typically target, and how do you decide? Is it based on the type of technology, for instance, or the reputation of the program?

HackerOne is perfect for finding good, rewarding programs and is very easy to use.

Of course, the programs that interest me are the ones that pay. I don’t pay attention to whether they are private or not or to the reputation; I care that they allow me to explore and research new things by having a wide variety of scope.


RELATED Coronavirus pandemic supercharges security bug bounty market


Have you encountered any problems with responsible disclosure? If so, what happened?

The truth is that I never had a problem with responsible disclosure.

Likewise, I know some had problems because they published information about bugs that they shouldn't. It is a fairly common situation in the community, but we all do our best to be as professional as possible.


Do you plan to continue focusing on bug hunting over the next few years?

I am currently a full-time bug bounty hunter. However, I would like to study at some point in the future.

I’m interested in a career in informatics and would love to own my own company. I’ll still always want to keep hacking as a hobby though!


YOU MAY LIKE Bug bounty leader Clément Domingo on cybersecurity in Africa, hacking events, and chaining vulnerabilities for maximum impact