Get ready for bug bounty whiplash: on one end of the spectrum, we’ve got the world’s first $1 million bug bounty hunter, according to HackerOne and on the other we’ve got a German teenager who caved and gave Apple a bug for free after refusing to do so in protest of the company’s invite-only/iOS-only bounties.
As far as the rich kid story goes, HackerOne announced on Friday that 19-year-old Santiago Lopez, a self-taught hacker from Argentina, has made history as the first hacker to make $1 million from bug bounties.
That would be cumulative, mind you, not a one-time ueber-bug. Lopez has racked up a long list of bug kills.
Lopez goes by the handle @try_to_hack on HackerOne, an online platform that companies use to receive and manage vulnerability reports. Lopez, who’s been hacking and scoring bug bounties since 2015, has reported over 1,670 valid unique vulnerabilities to companies such as Verizon Media Company, Twitter, WordPress, Automattic, and HackerOne, as well as to private programs.
$42 million paid out since HackerOne debuted
In its 2019 annual report, which it released on Friday, HackerOne said that it paid out $19 million in bounties in 2018: an amount that’s close to the total bounty payouts for all preceding years combined.
In total, by the end of 2018, hackers had earned more than $42 million for valid results over the six years since HackerOne launched, in 2012. Those payouts are coming from planet-wide hacking: While India and the US remain the top hacker locations, more than six African countries had first-time hacker participation in 2018.
They’re hacking their own educations
Lopez is typical of the majority on HackerOne in that he’s self-taught. HackerOne says that 81% of hackers on the platform get their training outside of the classroom, typically learning the craft through blogs and other self-directed educational materials such as Hacker101 – a free class for web security – and publicly disclosed reports.
Just 6% of hackers say that they’ve completed a formal class or certification on hacking.
The top five countries represented by hackers in HackerOne are India, the US, Russia, Pakistan, and the UK: those countries account for a bit more than 51% of all hackers in the HackerOne community.
North America’s deep pockets
As far as financial rewards go, the money mostly flows from North America: Of the $42+ million awarded to hackers through 2018 on HackerOne, organizations in just eight countries served as the primary source for more than half of the money, with the US and Canada based organizations comprising the lion’s share of bounties, followed by the UK, Germany, Russia, and Singapore.
That money’s flowing away from its past destinations
HackerOne says that hackers from India and the US pocketed 30% of the bug bounties last year. That’s a lot, but it’s on the decline as rewards flow to other countries: hackers from those two countries actually took home 43% of the bounties the year before.
Lopez, in Argentina, is actually typical of the burgeoning talent coming from outside the historically top regions, HackerOne said.
Out of all the world’s hackers, those from Argentina have got to have the strongest financial incentive: according to HackerOne’s 2019 report, bug bounties had the highest multiplier of median annual wage in Argentina than any other country. In the US, for example, bug bounties will get you around 6.4x the median annual wage of a software engineer. In Argentina, that multiplier jumps to an enormous 46.6x.
The young eat bugs for lunch
Young: that’s the profile of the average hacker in the HackerOne community. Nine out of 10 hackers on the platform are under 35. Maybe that’s why they can stay awake long enough to find all these vulnerabilities: HackerOne reports that hackers are spending more hours hacking. More than 40% of the platform’s hackers are spending 20-plus hours per week searching for vulnerabilities.
Hackers need love, too
Yes, money tops the list of answers to “Why do you hack?” But it’s tied, at 14.3%, with the thirst for knowledge, as in, to learn tips and techniques.
When choosing which company to hack, the minimum bounty amounts notably dropped from the top factor down to fourth place. What motivates hackers more is again that thirst for knowledge, with 59.5% saying that it was the challenge or opportunity to learn that motivated them to participate in a particular company’s bug bounty program.
That was followed by 40.4% who said they liked the company against which they pitted their wits.
After that comes responsiveness. That was cited by 36.4% of hackers as the reason why they hacked a company. Which underscores what we already know: that hackers want to be acknowledged, thanked, or even just simply to be listened to…
…which brings us to Linus Henze – he whom Apple didn’t reward when he found, and published, a proof of concept he called KeySteal: what he claimed is a zero-day bug that can be exploited by attackers using a malicious app to drain passwords out of Apple’s Keychain password manager.
“I won’t release this.” … Blame Apple.
Henze initially said that he wouldn’t share details with Apple – and yes, the company asked – in protest of the company’s invite-only/iOS-only bounties.
But as of Thursday, Henze had thrown in the towel and decided to help Apple, and most particularly Mac OS users, in spite of the company’s bug program policies:
I’ve decided to submit my keychain exploit to @Apple, even though they did not react, as it is very critical and because the security of macOS users is important to me. I’ve sent them the full details including a patch. For free of course.— Linus Henze (@LinusHenze) February 28, 2019
It might have looked like he was doing it just for money, Henze said, but that’s not the case:
My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers.
Thanks for releasing the bug, Linus, in spite of the lack of bug bounty.
You’re right, it’s not just about money. It’s about recognition and responsiveness from the company in question. A bug bounty program is a good way to formalize that respect and responsiveness.
Why does Apple have an invitation-only bug bounty program for iOS, but not for Mac OS? It seems to be a baffling approach to bugs.