19-year-old Argentinian @try_to_hack just made history as the first to earn over $1,000,000 in bounty awards on HackerOne. Since joining HackerOne in 2015, Santiago has reported over 1,670 valid unique vulnerabilities to companies such as Verizon Media Company, Twitter, Wordpress, Automattic, and HackerOne, as well as private programs. He consistently tops the HackerOne leaderboards, with the 91st percentile for signal, 84th percentile for impact, 2nd overall on the platform, and over 37,000+ reputation!
As a self-taught hacker, primarily using blogs and YouTube to expand his skills, Santiago shows us all that learning to hack is not reserved for the traditional classroom.
We’re thrilled for Santiago and grateful for the more than 1,670 vulnerabilities he reported that are now resolved. We connected with him to learn more about how he reached this impressive milestone. We hope you are just as inspired as we are!
Q: How does it feel to be the first million-dollar bug bounty hacker?
SL: I do not have enough words to describe how happy I am to become the first hacker to reach this landmark. I am incredibly proud to see that my work is recognized and valued. Not just for the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible.
Q: What made you want to be a hacker?
SL: I’ve always liked computers and programming ever since I was a little kid, but I never knew anything about hacking. I didn’t even know it existed until I saw the movie “Hackers”, which opened up a whole new world for me. As I learned more, I realized that I was naturally drawn to the types of challenges and problem-solving opportunities associated with hacking.
The best was when I discovered the existence of bug bounty programs such as HackerOne. It allowed me to do what I like to do, earn money when I wanted to, where I wanted to, and at the same time making the world a bit safer. It was incredible!
Q: How did you learn to hack and when did you start?
SL: In 2015, when I was 16.
I am completely self-taught. I learned to hack thanks to the Internet. I watched online tutorials and also read a lot about hacking. This is how I became the hacker that I am today. It took me a long time to find my first vulnerability, but with patience and effort, it can definitely be achieved.
Q: How did you find bug bounty programs?
SL: On the Internet and HackerOne.
Q: What types of bugs and programs are you most interested in?
SL: I’m mostly interested in programs that pay. I care less about whether they are private or public, and care more about the scope of the bug bounty program.
What interests me the most when looking for bugs is finding as many bugs as I can in a short period of time and trying to earn good bounty rewards for them. I know they say quality before quantity, but quantity is what I like.
Q: When did you earn your first bounty and for what type of bug?
SL: My first bounty payout was $50 for a CSRF that I found back in 2016 when I was 17. At the time I was not very interested in the size of the bounty. I was just so happy and excited to earn my first reward on my own.
Q: What was the largest bounty you’ve earned and what was it for?
SL: $9K for a SSRF in a private program.
Q: What was the first thing you bought with your bug bounty money?
SL: A new computer. My computer was old and I knew that a faster computer would help me make my hacking much faster and more efficient.
Q: When do you like to hack mostly, what time of day?
SL: A bit in the afternoon and evening, but preferably at night. I see hacking as a normal job, so I tend to hack between 6 to 7 hours per day.
Q: What is your favorite type of vulnerability to find and why?
SL: IDORs [or Insecure Direct Object Reference]. It is a vulnerability that is very easy for me to find and larger bug bounty programs often pay well for them.
Q: Your user name is “try to hack” -- how did you come up with that name? As the first million-dollar hacker, maybe now you can be “I hack” :)
SL: In the beginning, my goal was to try to hack companies but I wasn’t so sure I would succeed. That's why "try_to_hack" seemed like a very good name at that moment. However, I still like it and I will not change it because it reminds me of how I first started.
Q: What is the hacker community like in Argentina? Are your friends hackers too? Do you hack with other people?
SL: Unfortunately, I have not had the chance to meet other hackers in Argentina but I'm sure there are many. None of my friends are hackers.
I like to hack on my own. I'm interested in socializing with other hackers to exchange knowledge but finding bugs on my own is quite exciting.
Q: Do you plan to keep hacking with bug bounty programs?
SL: I'm sure I'll continue hacking with bug bounty programs. It is one of the most interesting things I have discovered in my life. I’m sure that anyone who discovers bug bounty programs will soon too realize that it opens up new opportunities for both hackers and companies who are committed to security.
Q: Do your friends and family know you are a hacker? How do people react when you tell them you are a hacker -- and one of the best in the world at that?
SL: Yes, my friends and family know that I am a hacker. The first time I told them, they could not believe it. They viewed the hacker as a bad person who robbed people. They did not think it was possible that a hacker could be good and make money legally.
After spending a great deal of time explaining this to my friends and family, they finally started to believe it and were super happy for my success.
Q: Anything else you want to add?
SL: I want to thank HackerOne for celebrating my achievement, I really appreciate it. Hope more bounties will come. HackerOne is the best bug bounty platform without a doubt, and any hacker/company should use it, and I’m sure there won't be any regrets :)
To learn more about the hacker community, check out HackerOne's 2019 Hacker Report which celebrates the achievements of the worlds’ largest hacker community. Download your copy today.