Live hacking the U.S. Air Force, UK Ministry of Defence and Verizon Media in Los Angeles at h1-213
On November 6th, over 60 hackers descended on the City of Angels for the final HackerOne flagship live hacking event of 2019, h1-213. For the first time ever, a specific UK Ministry of Defence asset was included in a bug bounty engagement via Defense Digital Service’s Hack the Air Force 4.0. The second day of hacking focused on another HackerOne partner and frequent client of live hacking, Verizon Media.
Nearly 700 vulnerabilities were submitted over the course of two days, hackers were paid over $600,000, with over 60 hackers participating, and over 47% of all bounties paid were for high and critical findings. Hackers came from over 18 countries and almost 25 individuals from local cybersecurity organizations attended Community Day, all of whom received LA-inspired skate decks to customize.
Hacking in the City of Angels
Defense Digital Service
Hosted at the Cross Campus, in Downtown LA, hackers arrived to array of custom swag that epitomized the LA Vibe. Check out these custom skate decks:
To kick the day off, we were welcomed by Alex Romero, Digital Service Expert, Defense Digital Service and Dr. Michael Parker, Chief Information Officer and Deputy Director, Plans and Integration for the U.S. Air Force as they gave an overview of the Hack the Pentagon program, how imperative collaboration with the researcher and hacker community is, and a little bit about recruitment within the US Air Force.
Bringing a total of 16 teams and over 60 hackers together, day one of h1-213 resulted in 460 individual bounties paid, earning a total of $288,236. Almost 60% of the bounties paid were for high and critical findings. The U.S. Air Force and UK Ministry of Defence also brought in their security teams to the event collaborate and get to know the hacker community.
This impressive first day concluded with a much loved HackerOne staple — Show and Tell. During Show and Tell, selected hackers shared with their peers the most impactful or most creative attack flow and the most unique or interesting findings. The details of the presentations are not shared outside the room and recording is not permitted; the following hackers were selected to present their findings:
Verizon Media kicked off the event by welcoming hackers, Defense Digital Service and US Airforce teams, and HackerOne, to their offices in LA for food, drinks and a special treat: hackers presenting additional Show & Tells from earlier program submissions.
Verizon Media provided a unique scope for this event and tried out some new and interesting bonuses; Since there had been a Big Lebowski theme throughout the entire event, Verizon Media gifted custom-embroidered bowling shirts to hacker, as well as their own staff, “ The Paranoids”, and HackerOne.
With 99 individual bounties issued, Verizon Media paid over $325K in total, with over $121K rewarded for high and critical reports.
Event Show & Tell:
Presented with “super bowl”-esque rings, Verizon Media chose three teams that brought the most severe vulnerabilities of the event:
VzM Team Awards:
Mala Fama : none_of_the_above, kcho
Team Name --- : ta8ahi, bull, bugdiscloseguys, ralamosm , JR0ch17
Dupe-Day : ris, inhibitor181, ngalog, anshuman_bh
Furthering the spirit of collaboration, the Community Day and Mentorship program brought in participants from local organizations for hands-on training, career panels, and a fully encompassed educational workshop. Partnering with the Women’s Society of Cyberjutsu and OWASP LA, Community Day participants first enjoyed a Hacker Panel with:
- Lisa Jiggetts (@cyberjin), founder and president of Women’s Society of Cyberjutsu
- Dawn Isabel (@dki), mobile hacker and full-time pentester
- Katie Paxton-Fear (@insiderphd), PhD student, hacker, former HackerOne Mentee
Moderated by HackerOne Community Manager for Live Hacking, Jessica Sexton, panelists discussed how they got started in cybersecurity, how they approach targets and their individual focus areas/skillets, managing burnout and not only explained how to succeed as a women in tech, but also gave advice to employers on how to source talent and keep women in tech.
Immediately following a full lunch spread, Community Day participants dove into a hands-on workshop led by Ben Sadeghipour (@nahamsec), HackerOne’s Mgr. of Hacker Education. Ben walked participants through all phases of a Hacker101 CTF teaching them how to get started in hacking, how common vulnerabilities function and how to take it to the next level. Participants left with more knowledge and the next steps in their journey. Several attendees left with their first private program invitations! We cannot wait to see them grow and enhance their skills.
Here’s to Hackers —
DDS Day Winners:
The Exalted - most rep earned: johnny
The Exterminator - best bug: meals
The Assassin - highest signal: spaceraccoon
The Vigilante - MVH of the Night: johnny
Verizon Media Day Winners:
The Exalted - most rep earned: intidc
The Exterminator - best bug: dki
The Assassin - highest signal: intidc
The Vigilante - MVH of the Night: none_of_the_above
h1-213 Event MVH: spaceraccoon