The past week capped off a record year of bug bounties for Oath, the media giant which boasts a slew of dynamic brands including Yahoo, AOL, Verizon Digital Media Services, and TechCrunch. In 2018, Oath has received over 1,900 valid vulnerabilities through its private bug bounty program, over 300 of which were high or critical severity. Big numbers mean big rewards — Oath has paid $5 million in bounties in 2018. That’s nearly five times the bounties paid in 2017 and nearly 10 times the bounties paid by Oath brands in 2016.
Oath invests big in their top hackers, and in addition to highly competitive payouts, they have hosted four live hacking events in cities all over the world — Goa, San Francisco, Argentina, and a 2018 finale live hacking event in New York City in late November.
“Strengthening relationships with hackers that have reported vulnerabilities to Oath brands for years and getting new hackers excited about Oath has been core to our mission for the bug bounty program on HackerOne this year,” said Oath CISO Chris Nims. “Live hacking events have allowed us opportunities to interact with hackers personally, learn their stories, understand what drives them, and ultimately continue building the strongest bug bounty program possible.”
Hackers @fisher, @0xacb, @corb3nik, @cache-money
h1-212 in New York City
The second annual h1-212 kicked off on November 27 and spanned three days: starting day 1 with hacking on some core Yahoo targets. At the end of day 1, brand new scope was announced, which set the focus for the participants for the remainder of the event. Day 2 consisted of dedicated recon time for the hackers and a community day for NYC-based engineers and cybersecurity enthusiasts. The event concluded on the 3rd day with another full day of hacking targeting the fresh new scope provided on Day 1. Over the course of the three days, 32 of the world’s top hackers representing 10 countries surfaced 159 vulnerabilities, earning $404,764 for their efforts.
Recruiting the next generation of cybersecurity talent
On November 28, HackerOne and Oath teamed up for a cybersecurity workshop and an introduction to the awesome opportunities in the industry, including opportunities with the Paranoids at Oath.
The day kicked off with a hacker panel. The panel included @mlitchfield, HackerOne Community Manager Tiffany Long and @teknogeek. The panel focused on the hacking community and how to begin a security career. After the panel, the attendees were then encouraged to participate in a Capture the Flag (CTF) workshop, hosted by Hacker101 creator Cody Brocious. For many attendees, it was their first time participating in a CTF. Attendees were encouraged to continue their CTF hunts by using Hacker101. The platform recently announced that finding flags in the CTF will now allow you to directly earn invitations to private bug bounty programs on HackerOne.
While the hands-on workshop ran, attendees were also able to schedule a one-on-one with the Paranoids. This was a unique opportunity to ask questions directly to Oath and learn how to start or continue a stellar career in cybersecurity.
“We want to support the community on all fronts,” said Oath Technical Security Engineer Chris Holt at the event. “We want to encourage passionate people to grow in the cybersecurity field. We have open positions with our Paranoids team and this workshop was a chance for us to engage directly with folks who are looking for those opportunities.”
Fostering collaboration and partnership with hacking teams
New at h1-212 this year: teams! Leading up to h1-212 hackers created teams of 4 to collaborate and work together on producing the most impactful results possible. And the results showed: the team's collaboration yielded a great percentage of high and critical vulnerabilities. The top performing teams of h1-212 were:
- United States of Sweden: @avlidienbrunn, @fransrosen, @dawgyg, @meals
- Bountyplz: @hogarth45, @smsecurity, @swapnil_rpma4, @ramsexy
- Yql-injection: @cdl, @zlz, @droope, @kedrisch
- Illywhackers: @johnny, @smiegles, @teknogeek, @stok
- Teambazooka: @samux, @try_to_hack, @ralamosm, @bhavukjain1
During the event, team Illywhackers (@johnny, @smiegles, @teknogeek and @stok), for example, was able to find a bug that allowed them to create unlimited subdomains on an Oath-owned domain and then deliver a valid SSL certificate for those created subdomains. This would make it simple to create convincing phishing attacks targeting Oath users.
Hackers @jobyjohn, @bug0xa, @rmzsx, and @ris from team “The Rookies” hack during day 1 of h1-212
Winner, winner, winner!
Once the three days of hacking concluded, it was time to announce the h1-212 award winners and Oath had something planned: Custom-made h1-212 champion rings for each of the team members from the top 3 teams as determined by bounties earned.
Oath’s custom-made h1-212 champion rings
With an incredible performance from so many, these rings were very well-deserved and quite the motivator! Congrats to the United States of Sweden, Bountyplz, and YQL-Injection teams for taking first, second, and third place respectively.
But there were more awards to hand out! As always, we presented 4 awards to the participants reflecting the productivity, accuracy, impact / criticality, and all-around best hacker(s).
Give it up for your winners!
- The Exalted (most reputation earned) went to United States of Sweden (@avlidienbrunn, @fransrosen, @dawgyg, and @meals)
- The Assassin (highest signal) also went to United States of Sweden (@avlidienbrunn, @fransrosen, @dawgyg, and @meals)
- The Exterminator (best bug) went to Illywhackers (@johnny, @smiegles, @teknogeek and @stok)
- The very first Most Valuable Team (MVT) award went to Illywhackers (@johnny, @smiegles, @teknogeek and @stok) chosen by HackerOne and Oath based on their impressive teamwork and the creative bugs they reported. Check out their priceless reactions to the news.
“Oath is comprised of media, tech, and communication brands that 1 billion people love and trust. Cybersecurity is paramount in maintaining that trust,” said Nims. “Hackers were able to collaborate and find complex bugs that could have very real impacts on our organization’s daily operations. The hacker community’s teamwork and creativity through our HackerOne Bounty program continues to help our Paranoids team reduce cyber risks and scale our overall security efforts.”
From left to right: @johnny, @smiegles, @teknogeek and @stok pose with their Most Valuable Team belts at h1-212
When Oath surpassed $1 million in bounties paid earlier this year, the security team introduced some program updates, including a new bounty structure and table, a commitment to faster turnaround times, and more structured scopes. Check it out!
“The first year of our private bug bounty program on HackerOne under the Oath brand has been record setting,” said Nims. “The success of our program extends so far beyond dollars paid in bounties. The relationships we’ve built over the past year with the HackerOne community are ones we are committed to fostering in the many years to come. Thank you to all the hackers who have helped make our corner of the internet a safer place. We are forever grateful.”
Hackers, Oath employees and HackerOne staff pose at the end of h1-212 2018