Santiago Lopez and Sam Curry are using their technical skills for good… and earning top payouts in the process

Last month, a teenage hacker made headlines around the world after it was revealed he had earned more than $1 million in bug bounty rewards.

Santiago Lopez’s achievement shined a light on a growing breed of hackers who are earning top payouts by using their technical skills for good.

Far from the ‘hoody in a bedroom’ stereotype we’ve all come to know and loathe, teen hackers are having something of a spotlight moment – all while juggling both hectic social lives and their education.

Many of the names on HackerOne’s leaderboard were barely in their teens when they learned how to hack.

Sam Curry, for example, who has been disclosing bugs on the platform for three years now, started by hacking video games when he was just 12 years old.

“When I was 12, I spent most of my afternoons playing online video games,” Curry told The Daily Swig.

“I joined a few online groups trying to be social, and accidentally found myself in one entirely dedicated to hacking/cheating.”

Others discovered their passion for web security through a different route.

“I was always into computing when I was younger, however it wasn’t until I watched the movie Hackers that I really discovered hacking,” Lopez told The Daily Swig.

“The movie opened up a whole new world to me and got me really interested in hacking.

“Then in 2015 I discovered the bug bounty platform HackerOne and I realized that I could use my hacking skills to help secure the internet and get paid for it.”


‘Just a normal teenager’

After teaching himself how to hunt for vulnerabilities alongside his schoolwork, Lopez recently became the first person to earn $1 million in bug bounty payouts through HackerOne.

He rewarded himself with cars, computers, and a beach house on a private estate.

“I generally spend about six or seven hours every day hacking, but that’s usually in the evenings,” he said.

Other than that, Lopez says he’s very much a normal teenager – albeit one with envious savings in the bank.

He told The Daily Swig: “I just do normal things that guys my age do – play football and video games and hang out with my friends. However, hacking is always in the back of my mind.

“Every day I wake up and think, what exciting thing am I going to discover today?”

Lopez, a self-taught hacker who honed his skill online, was awarded his first bug bounty – a modest $50 – aged 16 when he found a cross-site request forgery vulnerability.

He’d discovered his passion, and what was to become his future career – but first, he had to convince his family that this was the best path for him to take.

He explained: “The first time I told them, they could not believe it. They viewed a hacker as a bad person who robbed people. They did not think it was possible that a hacker could be good and make money legally.”

Lopez added: “After spending a great deal of time explaining this to my friends and family, they finally started to believe it and were super happy for my success.”


Shifting perceptions

Nebraska-based Sam Curry started hacking aged 12 after falling in with a community of video game hackers, later teaching himself how to hack computers.

The security researcher, now aged 18, said his family have warmed to the title ‘hacker’ over the years.

“They seem more supportive and understanding as time goes on,” he said. “I think they just see it as any other hobby or interest.”

He was awarded his first bug bounty payout of $500 aged 15 after discovering a cross-site scripting (XSS) flaw in Yahoo. Curry now works full-time while juggling his hobby as a bug hunter.

“It’s pretty hard,” Curry said. “I work full-time and really suck at routine. I’ll spend 30 hours every week in the course of two days doing bug bounty related things.”

According to the report, most HackerOne users (36%) spend an average of one to 10 hours hunting for bugs. Their favorite? XSS vulnerabilities, which 38% said was their go-to hack.

Both Lopez and Curry learned how to hack via the internet, using educational tools provided by bug bounty platforms, along with books such as Peter Yaworski’s Web Hacking 101.

This abundance of online tutorials has opened up the hacking sphere to more young people than ever, who don’t necessarily need an expensive education to start their web security journey.

“I think there is a growing interest in hacking as computers and the internet have become engrained in our lives,” said Lopez.

“I also think hacking is growing in popularity as it is something that can be self-taught, so you don’t need to go to university to learn the skills that are required.”


RELATED Bug Bounty Radar // March 2019