Six Hackers Break Bug Bounty Record, Earning Over $1 Million Each on HackerOne

Bounty awards increased 65% on average as a quarter of all vulnerabilities reported are being classified as high to critical severity

SAN FRANCISCO--()--HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced that six individual hackers have earned over one million dollars each from hacking. A bounty — or bug bounty — is a monetary award given to a hacker who finds and reports a valid security weakness to an organization so it can be safely resolved. Thanks to these six hackers five thousand unique security flaws have been fixed, protecting millions of people.

In March 2019, HackerOne announced that Santiago Lopez, known as @try_to_hack, a 19-year-old hacker from Argentina, was the world's first hacker to earn $1 million with bug bounty programs. Now, Mark Litchfield (@mlitchfield) from the U.K., Nathaniel Wakelam (@nnwakelam) from Australia, Frans Rosen (@fransrosen) from Sweden, Ron Chan (@ngalog) from Hong Kong, and Tommy DeVoss (@dawgyg) from the U.S. joined the $1M hacker ranks by hacking for improved internet security.

“I am incredibly proud to see that my work is recognized and valued,” said 19 year old @try_to_hack, the world’s first hacker to earn $1M. “Not because of the money, but because this achievement represents the information of companies and people being more secure than they were before, and that is incredible.”

The news is underscored by findings published today in HackerOne’s 2019 Hacker-Powered Security Report which demonstrates the momentum observed in the industry. The report is based on 123,000+ unique resolved security vulnerabilities, 1,400+ customer programs and more than $62 million in bounties earned by hackers from over 150 countries. Today, six of the ten top banks in North America are working with HackerOne.

“Bug bounties have given me opportunities I never could have predicted going into it,” said @nnwakelam. “When I first started, the industry was in its infancy. Only a handful of companies invited hackers to find and share vulnerabilities. Six years later - the space has changed dramatically. Bug bounties have given me the flexibility to work from anywhere in the world, forged connections with people within an industry that I respect, created a secondary income stream within my own life, and allowed me the opportunity to branch out and pursue other business ventures. I'm grateful to be one of the first people to make it to this milestone alongside my peers, and I urge anyone who is interested in pursuing this to recognize that the first step is starting - the opportunities are there if you want to take them."

Every five minutes, a hacker reports a vulnerability. Every 60 seconds, a hacker partners with an organization on HackerOne. That’s more than 1,000 interactions per day with hackers and companies or governments working towards a safer internet.

"I joined the wrong chat room when I was around 10 years old," said hacker @dawgyg. "When I discovered bug bounty programs about 20 years later, I was finally able to use my curiosity for breaking things and standing up for what I believe in the name of defending organizations I believe in. Hitting that $1 million dollar milestone is a huge accomplishment and it feels amazing to know that the other five hackers and I have had such a huge impact. I hope our achievements will encourage other hackers to test their skills, become part of our supportive community and make the internet a much safer place.”

The opportunities for hackers to earn big has never been greater. The report also revealed hackers are finding more severe vulnerabilities than ever before. Twenty-five percent of all resolved vulnerabilities were classified as high to critical severity in the past year alone. As a result, bounty payments are rising. The average bounty paid for critical vulnerabilities increased 48% over last year’s average across all industries to $3,384; up from $2,281. A 71% increase over the 2016 average of $1,977. The most competitive programs today like Google, Microsoft, Apple and Intel offer individual bounty awards as high as $1,500,000 for critical issues.

"Hacking can open doors to anyone with a laptop and curiosity about how to break things,” said @mlitchfield. “I hope our achievements will encourage other hackers, young and old, to test their skills, become part of our supportive community, rake in some extra $$$'s along the way and make the internet a much safer place for people.”

In total, hackers earned $21 million in the past year, an increase of $10 million over the year prior. Typically, hackers from the U.S., India, and Russia dominate earnings, collectively pulling in 36% of the total value of awarded bounties globally. However, the presence of Argentinian, Swedish, Australian and Hong Kong hackers in the top six earners demonstrates the global opportunities available. A top earning hacker on HackerOne can earn 40.6x the annual median wage in Argentina and, in Sweden, a hacker can earn 6.3x the annual median wage of the country.

“When I first started hacking, I did not expect to ever make it on the leaderboard,” said @ngalog. “I saw names like ‘Frans’ and ‘Mark’ shining on top of the leaderboard week after week, never thinking I’d be able to meet them or work with them, let alone compete with them, which is awesome. It was a great moment to hit that $1 million dollar milestone and be in such great company with the five others."

The six millionaires came together with HackerOne and 100 fellow hackers in Las Vegas earlier this month for a live hacking event in Las Vegas — H1-702. Hackers earned $1,902,668 for reporting over 1,000 security flaws in three days, evidence of rapid growth for professional hackers.

The most authoritative report on the hacker-powered security ecosystem.

Data included throughout is from The 2019 Hacker-Powered Security Report released today by HackerOne.

The full report is available at

About HackerOne

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,500 other organizations have partnered with HackerOne to find over 130,000 vulnerabilities and award over $64M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, France and Singapore.


Samantha Spielman


Samantha Spielman