Last month, 19-year-old Santiago Lopez became the first person to earn $1m US as an “ethical” hacker. Santiago is the most successful professional hacker in the world. In his 4-year-long career, he’s exploited 1,748 vulnerabilities — and last year, his skills earned him more than forty times Argentina’s annual median salary.
Hackers used to live in the shadows and keep their digital exploits to themselves. But today’s elite young hackers are high-profile public figures. They travel internationally to participate in hackathons and give keynote speeches at cybersecurity conferences. Where hackers were once pursued by authorities, these kids are pursued by elite universities, and get lucrative job offers.
Hackers exist on an ethical spectrum. On one end, “black hat” hackers find vulnerabilities to rob unsuspecting victims; on the other, “white hat” hackers find vulnerabilities to keep clients secure. “Gray hat” hackers do a little bit of both, finding vulnerabilities without being asked and then seeking payment.
For most of hacking’s history, white hat hacking opportunities were few and hard to find. But in 2010, Google launched a public bug bounty program. The next year, Facebook rolled out a similar program, offering white hat hackers a minimum of $500 and eliminating the limit to the amount they could earn. The world’s biggest companies started offering hackers a legal way to make big money. Opportunity really took off when third-party companies started launching bug bounty platforms, which cataloged all of the internet’s high-paying hacks in organized directories. All of a sudden, Fortune 500 CEOs, and national defense officials all wanted kids to start white hat hacking.
The world’s most valuable digital directory for white hat hackers is held by a company called HackerOne. Their bug bounty program is the largest hacker brokerage on the internet: It gives hackers a directory of companies they’re allowed to exploit, and it gives companies access to ethical hackers who will continuously secure their businesses. Today, 300k hackers from 150 countries use HackerOne’s platform to earn money as white hat hackers.
Last year hackers earned $19m on HackerOne. Santiago is just one member of a new generation of young professional hackers:
- Jack Cable, 18, hacked into (and subsequently interned at) the Pentagon, started 2 companies, and earned enough hacker-cash to pay tuition at Stanford.
- Paul Vann, 17, runs a cybersecurity consultancy called VannTech Cyber and tracks down Ukrainian cybercriminals in his spare time. He plans to attend MIT.
- CyFi, 18, founded a non-profit called r00tz asylum to educate other young hackers. She goes by a pseudonym to protect her privacy.
Bug bounty platforms offer high-achieving kids opportunities to make money, pad their resumes, and gain valuable job experience.
Hackers start young. Kristoffer Von Hassel, an 11-year-old, is considered the youngest professional hacker in the world. At 5, Von Hassel “hacked into the XBox One,” because he was “desperate to get into games [he] wasn’t allowed to play.” He told Microsoft about the bug.
The white hat hacker revolution extends far beyond bug bounty platforms: A whole secondary economy has emerged to cater to these budding ethical hackers. Across the country, new companies train, evaluate, and hire talented young hackers. Hack Club offers a nationwide network of after-school programs meant to get kids interested in hacking. The Department of Defense sponsors hacking competitions to get kids interested in national defense. A student hackathon league called Major League Hacking (MLH) helps students prepare for jobs that involve hacking.
Today, the world Santiago lives in is one where 5-year-olds hack Microsoft, hackers like CyFi launch non-profits, and white hat teens rake in serious cash. But while the business of hacking has grown up, the hackers themselves still live and die by the hacker code: Everything is made to be broken and rebuilt. The hackers will become the hacked.
Did you hear about the hacker who lives upstairs instead of his mom’s basement? That dude is on a different level