HackerOne

Get Invited: How Live Hacking Event Invites Have Changed

lhecoin

HackerOne Live Hacking Events are back!

We wrapped a tremendous year of events for 2022 where we saw some amazing success. Some of the most notable:

  • Six customers partnered with us across five live hacking events!
  • $4.9M+ in bounties rewarded
  • 311 hackers participated

We got to reconnect with many old friends and new faces as we came together in new cities for an incredible return to in-person events! So what does that success mean for our 2023 live hacking events and for hackers earning an invitation to one of our flagship events?

We always strive to grow and improve our program, and invitations will continue to be a huge component of this. Our goal is to ensure that all hackers in our community have a clear understanding of what they can do to qualify and set personal goals in alignment. We appreciate everyone in our community who continues to give us feedback so we can continue to advance this program!

Before we dive into the new criteria and estimated # of hackers w/in each “bucket”, we remind all our researchers that regardless of what criteria you qualify with, all hackers must meet the below requirements:

  • A hacker should have no Code of Conduct Violations or active mediation investigations in the past 6 months brought on by a customer or HackerOne. We review each researcher internally to ensure that we note any past actions and evaluate the severity and frequency of the actions.
    • This review includes educational messages or first warnings and will be evaluated internally by a HackerOne review team. For instance, if you have consistently received educational reminders for similar topics in the last year, it could negatively impact your invitation qualification, even if they were not formal warnings.
    • Note: Similar to 2022, In the cases where customers request a specific hacker, we may partake in additional review to see if an exception can be made, pending the severity or frequency of previous Code of Conduct violations.
  • NOT located in a region under sanctions.
  • Past Live Hacking Event inactivity - Our live hacking events are highly competitive and time-sensitive. Should you accept an invitation to a live hacking event and not actively participate, you could lose future opportunities for invitations.
  • Consistency of behavior will continue to be evaluated. Respect and professionalism will go a long way to continue to grow the LHE opportunities and ensure that all involved (HackerOne Staff, Customer Staff, and fellow researchers) have a successful and positive experience. Suppose the HackerOne mediation or community team feels a researcher's behavior is unpredictable or at risk of being unprofessional based on historical experience. In that case, HackerOne may determine that they are ineligible for an invite.

table

 

To help provide the most opportunities to the most researchers, the invitations for events are fulfilled in the following order:

Up to 5 researchers
  • Customer selected/recommendation - researchers requested directly by the participating customer. The reasoning is at their discretion, and it may not be based on top performance!
Up to 5 researchers
  • Past Live Hacking Event Award Winners (non-collab) - researchers who have received an award (not bonus) from the previous 2-3 live hacking events
    • Most Valuable Hacker
    • 1st Place (based on bounties)
    • 2nd Place (based on bounties)
    • Exterminator
      • If the exterminator award is part of a collaboration, we cannot guarantee an invitation for all members of the collaboration party but will attempt to ensure that they receive an invite to at least one future event in the following calendar year
Up to 10 researchers
  • Top Performer [Previous Live Hacking Events] - researchers who were in the top 10 of the leaderboard, sorted by bounties, for previous 3 live hacking events 

Note: we will pick up to 10 of the top researchers from a combined list of the past 3 live hacking events. 

Up to 10 researchers
  • Top Customer Program - highest bounty earners in the last 6 months for the participating customer
Up to 10 researchers
  • Top Skillset - researchers selected based on top skills needed that align with the host customer scope. E.g: if the scope includes hardware assets, hardware hackers will be invited.

Note: this can also include the hackers that performed very well in the customer’s previous live hacking events. 

Up to 5 researchers
  • New to Live Hacking Events - researchers who have shown criticality, consistency, and contributed to the community across HackerOne platform but have not participated in a live hacking event previously. 

Note: This doesn’t mean the hacker is new to the platform and does not include public LH events.

Up to 3 researchers
  • H1 Elite / HackerOne alumni - researchers that have shown outstanding performance across their journey at HackerOne. 

Note: One doesn’t need to have an H1-elite comic cover to fit in this category. 

Up to 10 researchers
  • Community Choice - researchers selected by the HackerOne Community team who have shown positive engagement, criticality, and consistency within the community.
Up to 10 researchers
  • HackerOne Platform Performers in Last 180 days - researchers with more than 75% of submitted reports being high/critical (and more than 5 total high/criticals in that timeframe). The list is prioritized by total rewards in the last 180 days.
Up to 10 researchers
  • Geolocation Based Hackers - Hackers invited based on region of the event, geolocations for the assets in scope/accessibility reasons, or in alignment with Community recruitment or Customer’s program recruitment goals.

Note: Depending on the location where the event is being hosted, we might not have any hackers from this category.

Up to 7 researchers
  • Plus One Nominations - researchers nominated by invited researchers. All nominations will be considered based on justification and platform performance. 

 Note: Plus One Nominated researchers will be required to fund their own travel and accommodations to live hacking event (but are welcome to room share with the hacker who nominated them, if both agree!).

We have broadened the criteria for researchers to be eligible for an event by expanding the categories, or "buckets," in which they can be considered. This is to provide more opportunities for a wider number of researchers to earn an invitation. So let’s break down some of the new items for 2023 invitations:

h1702

If you do not currently have the bandwidth to participate fully or have concerns about travel for an event, please do not hesitate to let us know immediately. Feel free to decline the invitation or RSVP to participate virtually. Declining an invitation to participate will not affect any future invitations. The health of our hackers is always a priority for HackerOne, and as such, we empower you to make the best decision for your physical and mental health.

Declining an invitation will not affect future invitations. HackerOne will do our best to ensure that you receive a future invitation in the calendar year. We cannot promise one for the next event, but we commit to inviting you to a future event that best aligns with your skillset should you be unable to participate.

Note: declining an invitation does not allow you to nominate another hacker to participate in your place.

There are more opportunities than ever before to qualify for an invitation, and we are excited to head into our packed schedule of events with new chances to connect and grow our hacker community! The HackerOne Live Hacking Events program has grown into a wonderful way to provide direct engagement between our customers and researchers. Without your dedication, effort, and incredible skill, we would not be able to do this - so thank you! 

The dates and locations for our 2023 calendar will be announced soon! Keep an eye out for what’s to come. 

HackerOne is only as strong as our community, and we are proud of the time, commitment, and hard work that you all have put into making our community what it is today. We cannot wait to see you on the road next year and look forward to continuing to work with you to make the internet safer for all!


 

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image