Live Hacking Goes Virtual
At a time when security must be managed remotely, HackerOne and Verizon Media called on the naturally remote and global community of skilled hackers and engaged them in a 13-day virtual event to find and disclose vulnerabilities in digital assets.
On March 25th, we kicked off our first ever Virtual Live Hacking Event, #h1-2004, with Verizon Media. Hackers submitted 286 reports over the course of two weeks, resulting in over $673,000 in bounties! The event took place over the course of two weeks with a full schedule of hacking, hacker panels and interviews, and inside looks at past live events with both The Paranoids and the HackerOne community team.
Pivoting from our planned Singapore live hacking excursion, the virtual alternative in our portfolio was the clear choice. With a special scope arranged by The Paranoids, the event called for 50 hackers from across the globe, with over 30 percent from the APAC region, including Singapore, Hong Kong, India, and New Zealand. As the original event was intended to be in Singapore, we wanted to ensure that the local hacker base that would have been there live was also able to participate in a big way.
When asked how hackers felt about the virtual event versus in-person, hacker smsecurity told us: “This first Virtual Live Hacking Event was very fun and a complete success! It felt like a Live Hacking Event marathon which lasts 2 weeks. It was amazing to be together even in this tough time.”
Hack for Good
Launched during #h1-2004 was HackerOne’s Hack for Good initiative, a way for the community to join together and support COVID-19 relief in a myriad of ways. Moving forward, hackers now have the ability to easily donate full or partial amounts of their bounties to select charities each month. During this event, hackers donated over $5,000 of their bounties earned from real-world vulnerabilities to The World Health Organization (WHO) COVID-19 Solidarity Response Fund, To see how to donate a percentage of your bounties, check out our blog post.
Together We Hit Harder
Live hacking events at their core are about bringing the community together. When you bring hackers, security practitioners, and developers together, magic happens. Exploits are better, the impacts are more substantial, and the learning opportunities are invaluable. We have proven time and time again that hackers hack better together. Recently at live events, we have seen new teams launch and new awards revealed that celebrate collaboration and community, such as Best Team Collaboration. As we pivoted to a virtual event, our goal was to preserve that community magic and bring it into the digital world.
For all live hacking events, a dedicated Slack workspace is created for hackers, the target program’s team, and HackerOne staff to communicate throughout. For this event, we created a #be-yourself channel where hackers shared inside looks into their personal lives, showed us their workspace setups, and introduced us to their families. There was even friendly competition around a push-up challenge!
Check out the highlights and our favorite moments here!
While the exact magic of an in-person event is hard to recreate online, I think we can all agree that the magic that unfolded during #h1-2004 was of a different caliber. Hacker none_of_the_above stated: “I missed the drinks, the endless supply of cold Red Bull, the SWAG, the CTF-esque atmosphere. But all those things were replaced with all sorts of activities throughout the event which made us feel closer. I met new people, collaborated with friends, and found some bugs, everything that I would expect from a live hacking event. This was definitely a much nicer experience than I expected.”
Hacker mayonaise shared a similar sentiment: “I found myself having conversations and collaborating with others more frequently than usual. It led to building foundations for relationships that will carry over to future live events — something I pleasantly surprised to have happened.”
“If someone were to ask me about my favorite live hacking event, #h1-2004 would be at the top of my list,” said Sean Poris, Director of Product Security at Verizon Media. “It was amazing to see people come together during this pandemic to have deep conversations, to laugh a little bit, and bring the community together.”
Engaging the Community from a Distance
Every live hacking event includes a community education component where experienced hackers have a chance to mentor new and aspiring hackers. For this event, Hacker Education Lead and hacker Ben Sadeghipour (nahamsec) hosted a series of livestreams on Twitch for a global viewership with a number of special guests throughout the week. In the spirit of collaboration and education, we have recapped the full series below so that anyone who is interested in hacking or our live hacking events can easily access these resources.
- First Up: Virtual Community Day where Ben led an “Intro to Web Hacking” workshop using OWASP Juice Shop. This workshop was focused on how to identify vulnerabilities like XSS or IDOR and how to report each on HackerOne. If you missed the community day, you can watch it here.
- Virtual LHE Kick-Off: The day the leaderboard was launched, HackerOne live hacking team members Prash Somaiya, Luke Tucker and Jessica Sexton joined Verizon Media’s Chris Holt to talk through their history of live events and what set this event apart from others.
- Hacker Couch with STOK: Hackers STOK, BugBountyHQ, cdl, ramsexy and HackerOne’s Luke Tucker chat about how the event is going, discuss what it’s like to shift to virtual around the world, delve into collaboration, and commiserate on some of their favorite memories.
- How to get Started in Infosec and AppSec with VirSecCon speakers TheCyberMentor, zseano, STOK, tomnomnom, and jhaddix: Hackers share their personal journeys, the benefits (or not) of infosec certificates, and finding their first bugs.
- VirSecCon: A virtual security conference hosted by TheCyberMentor and nahamsec with talks including topics like: iOS recon with Radare2, Android Hacking, Bug Bounties with Bash, and Demystifying OSCP and OSCE certifications. All proceeds were donated to Leukemia and Lymphoma Society. Check out all the talks here!
- Recon Sunday: A stream that nahamsec hosts on a weekly basis, this edition featured special guests and h1-702 2019 top hackers cdl, dawgyg and mayonaise to discuss their approaches to recon, hacking, and their history in bug bounty.
- HackerOne Community Team members Ariel Garcia, Jenn Eugenio, Jessica Sexton, and Luke Tucker talk about how live events were created, where they’ve been taken and where they’re going.
- By April 7th, submissions had closed but bounties were still being awarded. Hackers dawgyg, 0xacb, teknogeek, and inhibitor181 join the stream for How to Become a Millionaire or MVH.
- As a prequel to our closing ceremonies, Paranoids Sean Poris, Mark Litchfield, and Chris Holt joined us for the Live Hacking Event Roundup, talking about their history of live events, what set this one apart, and the importance of supporting the community in times like this.
Coming to a Close
Closing ceremonies at live events always start with Show & Tell. Show & Tell is an opportunity for hackers to share selected bug reports and present how they were found to the participants and customer teams. This event held the tradition strong with pre-recorded demonstrations presented via private video conferencing to only those participating in the event. Cheers to the Show & Tell Hackers!
Check out our Closing Ceremonies to see the following winners get announced! A huge (virtual) round of applause because these four hackers were amazing throughout the entirety of the event.
The Exterminator | Best Bug of the Event (decide by HackerOne and customer | samux
2nd Place in Bounties | anshuman_bh
1st Place in Bounties | mayonaise
Best Team Collaboration (decided by HackerOne and customer) | Anshuman_bh & Swapnil_rpma4
And now, for the Most Valuable Hacker of the event …. mayonaise!
“Attempting to explain each way HackerOne consistently exceeds expectations would be an exhaustive effort. Your first virtual event was nothing less than a grand slam. From the daily broadcast streams to engaging online interactions and games, I experienced a community growing together. That is something you can not fake and is a testament to what you are building is exceptional. I look forward to seeing what you can come up with next!” - Jon Colston (mayonaise)
Thank you to everyone that tuned in, and congratulations to all the hackers who participated! It was truly amazing to see the community come together in this time of uncertainty for a single purpose — to hack for good. The in-person connections we missed from a physical event perspective were made up for in the spirit and energy everyone brought into #h1-2004.