Skip to main content

A Bountiful Year: Top Bugs and Hacktivity Highlights in 2016

  • January 12th , 2017

Hacktivity proudly showcases the achievements of our hackers and the community, culture, and collaboration we create through the act of hacking.

It was a wild ride for Hacktivity in 2016:

Let’s reflect on some of the major trends and patterns in our hacker community as seen through the eyes of Hacktivity.

Hacktivity's five most-voted vulnerabilities of the year

The top awards are not short on creativity, collaboration, and good ol' fashioned hard work. The highest-voted vulnerability report described how an attacker could exploit a vulnerable deserialization function in PHP leading to remote shell on a production server.

Most-voted Vulnerabilities of the Year

5. Internal attachments can be exported via “Export as .zip” feature

This report from japzdivino claims the highest payout from HackerOne's very own bug bounty program, not just in 2016 but of all time: $12,500.

4. Change any Uber user’s password through /rt/users/passwordless-signup - Account Takeover

Since their public launch not long ago, Uber has quickly climbed to be one of the most successful bug bounty programs and community favorites. They couldn’t have done it without amazing hackers, among which is the reporter of this great find, mongo.

What the HackerOne community accomplishes is truly a team effort, and this report exemplifies it perfectly: creative bug hunt, mind-blowingly fast response, competitive reward, happy hacker, and safer program.

3. Partial disclosure of report activity through new “Export as .zip” feature

Awarded at $10,000, this is the second highest payout from our bug bounty program. Rockstar Hacker Faisal Ahm reported within 24 hours of the feature release that contained this security flaw. And what’s more impressive? The issue was resolved within an hour of the report being filed (huge shoutout to our security team members!)

2. Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)

LocalTapiola was considered a dark horse as compared to some of the 'usual suspects', but they proved themselves to be quite generous with critical issues found by sharp eyes, such as those of Teemu Kääriäinen. They're also the proud owners of the highest posted bounty award of $50K - perhaps we'll be hearing more from this program in the 2017 Hacktivity recap!

1. [phpobject in cookie] Remote shell/command execution

Pornhub's whooping $20,000 to static was eye-catching, but it’s part of a bigger trend of public programs not shy about paying more for well-deserved efforts and to attract top-ranked hackers. This is the story we’ll keep coming back to and tell to our friends around the proverbial campfire.

Hacktivity's five most-voted programs of the year

Not surprisingly, all of these programs are in the 90th percentile of what we deem as "Reward Competitiveness" with our Hacker Success Index Measurements. Basically, they incentivize hackers to hack their programs - and hack again and again because they’ll be rewarded for it!

Most-voted Programs of the Year

5. Shopify | https://hackerone.com/shopify
4. Twitter | https://hackerone.com/twitter
3. Pornhub | https://hackerone.com/pornhub
2. HackerOne | https://hackerone.com/security
1. Uber | https://hackerone.com/uber

Hacktivity's five most-voted hackers of the year

These hackers stood above the rest in 2016, boasting one of the most coveted things of all: recognition from their peers. Hail the top hackers!

Most-voted Hackers of the Year

5. japzdivino | https://hackerone.com/japzdivino
4. jobert | https://hackerone.com/jobert
3. static | https://hackerone.com/static
2. fransrosen | https://hackerone.com/fransrosen
1. bobrov | https://hackerone.com/bobrov

Looking Ahead

What a year it was, but 2017’s got a lot of great things in store! We would love to hear from you about what you’d like to see in Hacktivity. Feel free to send suggestions to feedback@hackerone.com.

Join us as we raise a glass to lots of Hacktivity in 2017!

Cheers,
Pei & Luke

PS: We also tabulated the top bugs based on payouts last year - A look at the top HackerOne bug bounties of 2016.

Recent articles

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…

Bug fixes just got a little easier; HackerOne introduces bi-directional JIRA integration

It’s now possible to view updates on JIRA issues right inside your HackerOne Reports. The two-way integration…