johnk

Shopify Awards $116,000 to Hackers in Canada: h1-514 Recap

Shopify Awards $116,000 to Hackers in Canada: h1-514 Recap

Forty top hackers met in Montréal in mid-October to hack Canada-based Shopify. The commerce platform helps more than a half-million merchants spread across 90% of the world’s countries design, set-up, and manage their stores. During the live hacking event, dubbed h1-514, Shopify paid over $116,000 in bounties to hackers who helped surface 55 valid vulnerabilities to the program. In total, 40 hackers attended the event, representing 12 countries and six continents, and nearly 20% were attending their first live hacking event ever!

Earlier this year, Shopify celebrated its three year anniversary of bug bounties on HackerOne, announcing it had worked with over 300 hackers and awarded more than $850,000 in bounties for helping secure its $55 billion-plus customer transactions and data.

Hackers Chat Walking Through Montreal
 Hackers chat as they walk through Montréal


No better way to get to know a new city than a walking tour, so that’s how the weekend kicked off. Hackers, Shopify, and HackerOne employees gathered to walk through the largest city in the Canadian province of Québec. The walking tour was followed by company-wide hacker panel at Shopify’s Montréal office. Shopify Application Security Engineer, Peter Yaworski, moderated the panel featuring @0xacb, @bored-engineer, and @cache-money, discussing everything from critical vulnerabilities they have reported to Shopify, to red flags they look for while hacking, to program loyalty and engagement.

 

Yaworski moderates the hacker panel featuring @0xacb, @bored-engineer, and @cache-money
Yaworski moderates the hacker panel featuring @0xacb, @bored-engineer, and @cache-money


H1-514 had a number of firsts for a live hacking event, the first being submissions were opened almost two weeks in advance of the kick off time on Saturday morning. Reports that were submitted in advance by hackers were triaged and bounties were awarded at the start of the event. With $30K in bounties being paid out within the first 30 minutes, momentum built and reports kept rolling in. One report by @fransrosen and @avlidienbrunn was a remote code execution vulnerability in Shopify’s Kit, a free virtual employee which helps boost sales and awareness by handling merchant marketing. The vulnerability would have allowed an attacker to compromise Kit's infrastructure, which is isolated and separate from Shopify core infrastructure. This report was awarded an impressive $15K bounty and patched by Shopify. 

 

Hackers find their optimal setup in a corner of the main floor at Shopify’s Montreal Headquarters

Hackers find their optimal setup in a corner of the main floor at Shopify’s Montreal Headquarters


The Shopify team also decided to disclose resolved bugs from the event the same day for all attending hackers to learn from and test the fixes, adding a bonus to anyone who could bypass a fix. The team disclosed four bugs and only @meals was awarded a bypass bonus to an SSRF vulnerability. 

Lastly, to encourage hackers to search for old bugs and dig deep on the application, Shopify introduced the Oldest Bug bonus, another first at a HackerOne live event. This bug was awarded to the reporter who found a vulnerability associated with the oldest git blame in the Shopify code base. This led to a number of great reports and alternative areas of Shopify being tested, but ultimately @fransrosen and @avlidienbrunn narrowly took home this bonus, beating out @filedescriptor by a single month.

Now, it’s time to announce the h1-514 winners!

The Exalted (most reputation earned) went to @fransrosen for earning 298 reputation at the event
The Assassin (highest signal) went to @zombiehelp54
The Exterminator (best bug) also went to @teknogeek
The Most Valuable Hacker (MVH) went to Swedish hacker @fransrosen

From left to right: HackerOne CEO Marten Mickos, HackerOne co-founder Jobert Abma posing as @fransrosen, @avlidienbrunn posing with the MVH belt on behalf of @fransrosen, HackerOne’s Sr. Director of Content and Community Luke Tucker, and Shopify’s Pete Yaworski
From left to right: HackerOne CEO Marten Mickos, HackerOne co-founder Jobert Abma posing as @fransrosen, @avlidienbrunn posing with the MVH belt on behalf of @fransrosen, HackerOne’s Sr. Director of Content and Community Luke Tucker, and Shopify’s Pete Yaworski


Congrats to all our winners! @fransrosen had himself an impressive event, becoming the first ever 2-time winner ever at a live event. Even more impressive, he was hacking in the middle of the night from Sweden, collaborating with @avlidienbrunn but being unable to attend in person. But thanks to HackerOne co-founder Jobert Abma, it was just like @fransrosen was there!

What a weekend it was. You can check out more photos from the event here and the ShopifyEng twitter account for more. Special thanks to the Shopify team for welcoming us with open arms to Montréal and into their offices for the weekend. To all our participating hackers, thank you for making commerce more secure for Shopify’s merchants and their customers. Together We Hit Harder!

Group Shot

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image