HACK HARD. HAVE FUN. INCREASE SECURITY

Amazon's Live Hacking Event with HackerOne

At Amazon, ensuring security is essential for earning customers’ trust. As part of Amazon’s ongoing public Vulnerability Research Program (VRP), Amazon expanded its support of security and education programs to tap into the expertise of leading security researchers and empower the global security research community. In March, Amazon sponsored HackerOne’s 10-day, virtual hacking event, which attracted more than 50 security researchers to identify potential vulnerabilities across Amazon’s core assets.

Figure 1: h1-2103 logo

During the virtual event, dubbed “h1-2103”, Amazon’s security team provided technical support and guidance to build on the diverse perspectives of researchers, who represented nine different countries. This event was a testament to Amazon’s dedication to advancing security research, as the broad scope and direction across a variety of attack surfaces resulted in the idenfication and safe mitigation of all reported issues. Researchers received a total of 6,860 reputation points throughout the course of the event, and earned $832,135 in the process, including bonuses and grand prizes for valid vulnerability reports — making h1-2103 HackerOne’s second highest-paying single customer live hacking event of all time and highest-paying virtual event.

“Bringing in external researchers allows us to extend the reach of our security teams to put our mechanisms and broad attack surface to the test,” said Hao-Wei Chen, Head of VRP at Amazon. “The insights we’ve gathered from this global security research community will help us build a more robust and secure system and, ultimately, improve the experience for our customers.”

It was the first live hacking event for several participating researchers, and they were not disappointed. In fact, one first-timer @jonathanbouman said:

Figure 2: Hacker @jonathanbouman remarks on his first live hacking event

Once the leaderboard launched, researchers patiently watched to see who rose to the top. By the end of the event, several were recognized for their skill: 

• In first place was @jonathanbouman, who found and submitted 23 valid reports.
• Second place was awarded to @derision, whose high and critical findings made them one of the highest earning hackers of the event.
• Collaboration was incredibly important to the HackerOne and Amazon teams, as combining unique perspectives can yield greater results and find new exploits. Consequently, “Best Team Collaboration” was awarded to”spacebaffoons” including @the_arch_angel, @ajxchapman and @spaceraccoon.
• The best bug of the event was submitted by @0xd0m7, earning them the “Exterminator” award.
• Lastly, for the Most Valuable Hacker, Amazon and HackerOne looked for someone who showcased exemplary contributions to the community, delivered multiple highly-critical reports, performed consistently well across the event, and embraced collaboration. Congratulations to @jonathanbouman for earning the h1-2103 MVH belt!

Figure 3: The h1-2103 final leaderboard

Much of the event’s success can be attributed to Amazon’s researcher-obsessed bonuses and engagement enhancements. Amazon launched a creative “momentum bonus,” giving researchers additional bounties for every consecutive valid high and critical report they submitted. This incentive increased the overall Signal of the event, with a record-breaking 92.9% of all bounties paid being for high and critical impact reports.

To show their appreciation to the speed and continuous efforts of the hacker community, Amazon awarded additional creative bonuses:

• ‘The Champion’ - Researcher with the most earnings: @jonathanbouman
• ‘The Finisher’ - Researcher with the second most earnings: @derision
• ‘The Finalist’ - Researcher with the third most earnings: @zseano
• ‘The Avengers’ - Best teamwork; a team who submitted the highest severity valid report: @0xd0m7 & @hipotermia
• ‘Running the Marathon’ - Best written report with clear proof of concept, description, steps to reproduce, grammar, and spelling: @intidc
• ‘Prime Player’ - First valid critical report on core assets: @jonathanbouman & @zseano
• ‘Legend’ - Account Take Over (ATO) on a test account without user interaction: @cache-money
• ‘Go that extra mile’ - Most Valid Reports: @derision
• ‘The Brainiac’ - Most creative bug: @cache-money

Though they remained focused on their task, the researchers still found time to relax, collaborate, and network with each other and the Amazon security team. They shared fun stories and exciting experiences during the "Daily Question of the Day” and got together on a Friday afternoon to play “Would you Rather - Hacker Edition,” giving researchers a chance to get to know one another and discuss their perspectives. Engagement was through the roof. Researchers also got creative while researching Amazon — and made some fun orders!

Figure 4: Hacker @zseano shares his latest Amazon purchase

“One of the greatest values of live hacking events — virtual or in-person — is the relationships forged,” said Luke Tucker, Vice President of Community at HackerOne. “No one knows remote work like hackers do, but there’s still such immense value in coming together with a defined mission and focus. Hackers develop closer understanding of security team goals, delivering more tailored vulnerability research and building on one another's findings to yield higher-impact results. The shared experiences of a live hacking event always creates new and deeper relationships and the Amazon security team was able to collaborate with both top hackers on their program and new talent. Security is stronger when we’re working together.”

Figure 5: Hackers @S3c and @akshansh share their appreciation to the HackerOne and Amazon teams 

For more information on live hacking events, visit: https://www.hackerone.com/live-hacking

To start hacking on Amazon’s Vulnerability Research Program, submit your first report here: https://hackerone.com/amazonvrp?type=team