Viva Hack Vegas - Bug Bounty Hackathon
HackerOne kicked off its inaugural H1-702 live hackathon in Las Vegas. Across three nights, Hackers worked with Zenefits, Snapchat and Panasonic Avionics and earned more than $150,000 in bounties for over 225 reported vulnerabilities. Here is how it went down:
What happens when you invite more than 30 elite hackers and three security teams to Las Vegas for a live bug bounty event?
As the world’s security professionals gathered in the desert for Black Hat, DefCon 24 and BSides, HackerOne hosted its first live hackathon. Across three nights of hacking, HackerOne customers, Zenefits, Snapchat and Panasonic Avionics awarded top bug hunters over $150,000 for reporting more than 225 security vulnerabilities.
30+ Bug Hunters Hacking Live
In a five-star, two story hotel suite at the MGM Grand Skylofts, 30+ elite HackerOne hackers assembled their hacking gear and prepared for a new surprise challenge each evening. Upon arriving at the suite each night, hackers were greeted with a “game day” scope and an eager security team ready to triage bugs and award bounties on the spot. Guests were treated to chair massages, food and beverages throughout the evening, as well as loads of custom swag!
Zenefits kicked off the competition the first night, offering generous rewards and a broadened scope that hackers could only dream about outside of this event. The Zenefits team was the inspiration for the H1-702 event, and they showed up more than ready to work directly with hackers to find as many potential issues as possible, and reward them generously for their efforts. Night two was all about Snapchat security. The Snapchat team provided a custom build on loaner mobile devices for easier security testing at the event and kept many hunting past 5am - between sending snaps and posing with Ghostface Chillah. On the last night of the competition, Panasonic Avionics’ security team surprised the hackers with a once in a lifetime challenge designed exclusively for the H1-702 competition.
More than 70% of Reports Were Valid Security Issues
Across the three nights of hacking, more than 80 individual bounties were awarded to hackers live, totaling over $150,000 in rewards. Of the reports filed during the contest, over 70% were valid security issues.
The H1-702 hackers included some of HackerOne’s most successful bug hunters, based on Reputation scores and bounties earned. HackerOne sponsored top hackers from Argentina, Chile, Morocco, U.K., Russia, Sweden, across the U.S. and Canada, among others, to participate in the contest. The hackers ranged from 16 years old, to hackers who have been working in security for more than 16 years. The diverse group of individuals regularly grace the HackerOne leaderboards, and for many, this was the first chance to hack in-person with their peers and meet one another.
Similarly, the chance to work directly with the security team in-person greatly contributed to the success of the contest. Security teams came ready to answer questions and roll up their sleeves with some of the most successful bug hunters. Security teams triaged issues live, built relationships, and encouraged the hackers to find as many issues as possible. HackerOne customers recognize the value of working with external security experts to find vulnerabilities, and that relationships between hackers and security teams are a fundamental part of any successful bug bounty program.
Most Valuable Hacker Award
What’s a contest without a leaderboard for Reputation?! For the most bounties earned, mlitchfield took the title of “Most Valuable Hacker,” and earned the associated bling (H1-702 MVH belt, pictured below). Nnwakelam crushed the leaderboard with Reputation gains, and Rubyroobs, Bored-engineer, and mlitchfield took home custom H1-702 poker sets for notable bugs reported throughout the event.
Award for Most Valuable Hacker
HackerOne’s first ever live hackathon was a huge success thanks to our incredible hackers, customers, and community at large. We look forward to the next H1-??? event coming soon! Want to get on list? Hackers with the highest Reputation and Signal have a better chance of getting invited, so keep hacking! If your company is interested in sponsoring and/or participating, send us a note at H1firstname.lastname@example.org.