These tworeports were actually in the Top 5, but were in last quarter’s blog so we exempted them from this list.
Public security disclosures make us all safer - they teach and inspire. Thank you to the hackers and companies that make them possible! Check out these instructions on how to share your reports on HackerOne.
Don't forget to upvote your favorite public disclosures in Hacktivity!
It’s time for the third installment of Top 5 Vulnerability Reports on HackerOne.
What a quarter! We sweated through the Vegas conferences, Hacked the World and held a jammed AMA on Reddit. Our hackers crossed the $10,000,000 mark of bounties earned. Best of all, our fantastic hackers helped companies find great vulnerabilities like the ones below.
Instead of listing the raw top five, we looked at the best five, non-repeat, non-summarized vulnerabilities of the quarter to share. Detailed vulnerabilities are the most instructive, so that’s why we highlight them here.
The Top 5 Vulnerability Reports of Third Quarter, 2016:
Mongo investigated Uber passwords via their passwordless signup features. Uber fixed it in a day (Mongo confirmed it) and paid out $10,000. In Uber’s words, “Thanks for the great find @mongo!”. We’re very glad to have Mongo hacking for HackerOne.
A frequent reporter in this blog series, orange knows how not to waste a trip. In this case to China, where a .cn domain of Uber’s was found to have a SQL Injection vulnerability when investigating an unsubscribe link closely. The report earned a nice $4,000.
Paragonie-Scott is one of the most vocal security team leaders on HackerOne. Read his reaction to this oddball .svg report that reminds us that .svg is not like other image file formats. It allows arbitrary code execution by design. Abdullah received the largest-ever bounty from the Paragon program, not to mention over 3,500 pageviews and counting.
We see lots of phrases like “This is probably not a big deal…” in initial hacker reports. Modest hackers! This report Subdomain takeover on http://fastly.sc-cdn.net/ began that way. Ebrietas started with an outdated DNS record and ended with a $3,000 bounty payment. Thanks for preventing users from potentially being served false content.
Do you see vulnerabilities you think were instructive or otherwise awesome? You can vote here to highlight the best on the top of the Hacktivity page.
Let’s reflect on some of the major trends and patterns in our hacker community as seen through the eyes of Hacktivity.
Hacktivity's five most-voted vulnerabilities of the year
The top awards are not short on creativity, collaboration, and good ol' fashioned hard work. The highest-voted vulnerability report described how an attacker could exploit a vulnerable deserialization function in PHP leading to remote shell on a production server.
Since their public launch not long ago, Uber has quickly climbed to be one of the most successful bug bounty programs and community favorites. They couldn’t have done it without amazing hackers, among which is the reporter of this great find, mongo.
What the HackerOne community accomplishes is truly a team effort, and this report exemplifies it perfectly: creative bug hunt, mind-blowingly fast response, competitive reward, happy hacker, and safer program.
Awarded at $10,000, this is the second highest payout from our bug bounty program. Rockstar Hacker Faisal Ahm reported within 24 hours of the feature release that contained this security flaw. And what’s more impressive? The issue was resolved within an hour of the report being filed (huge shoutout to our security team members!)
LocalTapiola was considered a dark horse as compared to some of the 'usual suspects', but they proved themselves to be quite generous with critical issues found by sharp eyes, such as those of Teemu Kääriäinen. They're also the proud owners of the highest posted bounty award of $50K - perhaps we'll be hearing more from this program in the 2017 Hacktivity recap!
Pornhub's whooping $20,000 to static was eye-catching, but it’s part of a bigger trend of public programs not shy about paying more for well-deserved efforts and to attract top-ranked hackers. This is the story we’ll keep coming back to and tell to our friends around the proverbial campfire.
Hacktivity's five most-voted programs of the year
Not surprisingly, all of these programs are in the 90th percentile of what we deem as "Reward Competitiveness" with our Hacker Success Index Measurements. Basically, they incentivize hackers to hack their programs - and hack again and again because they’ll be rewarded for it!