Nearly 40 hackers representing 12 countries were in Amsterdam on May 26, 2018 with one focus: hacking Dropbox!
Dropbox runs a top public bug bounty program on HackerOne. The most Dropbox had ever paid in one day was $38,871, in the fall of 2017. The average bounty for its public program is $512. In just one day at H1-3120, however, Dropbox received more than 90 reports and paid out $80,383 with an average bounty of $1,318, over two times on their largest bounty day ever and almost three times their average bounty. Geweldig (awesome)!
Hackers, Dropbox and HackerOne employees socialize during an open-air boat ride through Amsterdam
The festivities began at the kick-off mixer Friday evening, an open-air boat ride through the historic canals of Amsterdam. HackerOne volunteers, Dropbox team members, and hackers mingled, laughed, and enjoyed the fresh air over casual cocktails and classic Dutch snacks. Favorite hacking stories were swapped as the anticipation for Saturday grew.
Hacking kicks off at WeWork Weteringschans on May 26, 2018
Dropbox is widely known for being one of the most secure file-sharing companies in the world, and readily pays out some of the highest bounties on HackerOne; a testament to their security maturity. To say Dropbox takes security seriously is an understatement. Every vulnerability is treated with the utmost respect and attention, no matter how small. And the hackers at h1-3120 discovered this quickly.
The security team at Dropbox made this event even more unique by including some of the company’s vendor’s assets in scope, which has never been done at a HackerOne live-hacking event before. Within one hour of live hacking, an RCE was reported for one of the vendor’s assets. The vendor was immediately notified and grateful for the efficiency and professionalism of the hacker community.
Later in the afternoon, an XSS report was submitted by fransrosen. At first glance, the report looked like a medium severity vulnerability. But thanks to the meticulous Dropbox team, they discovered a greater impact and awarded a $10,000 bounty, sending cheers throughout the room.
Hackers collaborate and share findings at H1-3120
Dropbox released a bonus structure at the beginning of the day, offering rewards for hackers that reach special milestones, including the most creative bug (“Thinking outside of the Dropbox”), best proof of concept ("Try Hard"), and for the largest bounty on a single report (“Catch of the day”).
After the last reports were triaged and bounties paid, awards were handed out to the top hackers of the day:
- The Exalted (most reputation earned) went to mrtuxracer, a German hacker who was attending just his second live hacking event. He was the hacker who found the RCE on Dropbox’s vendor.
- The Assassin (highest signal) went to mrtuxracer as well.
- The Exterminator (best bug) went to fransrosen for his XSS report.
- The Most Valuable Hacker (MVH) went to mrtuxracer!
MVH winner mrtuxracer poses with his H1-3120 championship belt
This is the second year HackerOne has hosted a live-hacking event in Amsterdam, just two hours away from our office in Groningen. It would not be possible without the incredible hackers that traveled from Australia, Belgium, Canada, Denmark, Germany, India, Ireland, The Netherlands, Portugal, Sweden, the United Kingdom and the United States to help secure one of our amazing customers, Dropbox.
A big “thank you” to the Dropbox security team for their unwavering commitment to the hacker community, engaging vendors to take part in such a high-energy event, and continuing to raise the bar when it comes to security. Finally, thank you to all the volunteers, staff, vendors and others that gave up their Saturdays to be part of something great. Looking forward to the next one!
Participating hackers, Dropbox and HackerOne team members pose at the end of H1-3120