Forty top hackers met in Montréal in mid-October to hack Canada-based Shopify. The commerce platform helps more than a half-million merchants spread across 90% of the world’s countries design, set-up, and manage their stores. During the live hacking event, dubbed h1-514, Shopify paid over $116,000 in bounties to hackers who helped surface 55 valid vulnerabilities to the program. In total, 40 hackers attended the event, representing 12 countries and six continents, and nearly 20% were attending their first live hacking event ever!
Earlier this year, Shopify celebrated its three year anniversary of bug bounties on HackerOne, announcing it had worked with over 300 hackers and awarded more than $850,000 in bounties for helping secure its $55 billion-plus customer transactions and data.
No better way to get to know a new city than a walking tour, so that’s how the weekend kicked off. Hackers, Shopify, and HackerOne employees gathered to walk through the largest city in the Canadian province of Québec. The walking tour was followed by company-wide hacker panel at Shopify’s Montréal office. Shopify Application Security Engineer, Peter Yaworski, moderated the panel featuring @0xacb, @bored-engineer, and @cache-money, discussing everything from critical vulnerabilities they have reported to Shopify, to red flags they look for while hacking, to program loyalty and engagement.
H1-514 had a number of firsts for a live hacking event, the first being submissions were opened almost two weeks in advance of the kick off time on Saturday morning. Reports that were submitted in advance by hackers were triaged and bounties were awarded at the start of the event. With $30K in bounties being paid out within the first 30 minutes, momentum built and reports kept rolling in. One report by @fransrosen and @avlidienbrunn was a remote code execution vulnerability in Shopify’s Kit, a free virtual employee which helps boost sales and awareness by handling merchant marketing. The vulnerability would have allowed an attacker to compromise Kit's infrastructure, which is isolated and separate from Shopify core infrastructure. This report was awarded an impressive $15K bounty and patched by Shopify.
The Shopify team also decided to disclose resolved bugs from the event the same day for all attending hackers to learn from and test the fixes, adding a bonus to anyone who could bypass a fix. The team disclosed four bugs and only @meals was awarded a bypass bonus to an SSRF vulnerability.
Lastly, to encourage hackers to search for old bugs and dig deep on the application, Shopify introduced the Oldest Bug bonus, another first at a HackerOne live event. This bug was awarded to the reporter who found a vulnerability associated with the oldest git blame in the Shopify code base. This led to a number of great reports and alternative areas of Shopify being tested, but ultimately @fransrosen and @avlidienbrunn narrowly took home this bonus, beating out @filedescriptor by a single month.
Now, it’s time to announce the h1-514 winners!
The Exalted (most reputation earned) went to @fransrosen for earning 298 reputation at the event
The Assassin (highest signal) went to @zombiehelp54
The Exterminator (best bug) also went to @teknogeek
The Most Valuable Hacker (MVH) went to Swedish hacker @fransrosen!
Congrats to all our winners! @fransrosen had himself an impressive event, becoming the first ever 2-time winner ever at a live event. Even more impressive, he was hacking in the middle of the night from Sweden, collaborating with @avlidienbrunn but being unable to attend in person. But thanks to HackerOne co-founder Jobert Abma, it was just like @fransrosen was there!
What a weekend it was. You can check out more photos from the event here and the ShopifyEng twitter account for more. Special thanks to the Shopify team for welcoming us with open arms to Montréal and into their offices for the weekend. To all our participating hackers, thank you for making commerce more secure for Shopify’s merchants and their customers. Together We Hit Harder!