Customers who take part in the Ambassador World Cup get dedicated focus from highly motivated and expert teams of hackers. Last year, hackers reported 800+ valid vulnerabilities across 12 customers, 26% of which were high or critical.
Who Is Taking Part?
Six customers have already signed up for the 2024 Ambassador World Cup. There are still some open spots available for this year's World Cup — talk to your Customer Success Manager for more information!
Speaking about their involvement last year, Mercado Libre said:
"Connecting with hackers from continents outside of LATAM was very valuable for us, as it provides us with a different perspective from individuals interacting with our applications for the first time, resulting in a very high technical level of vulnerabilities."
— Alex Atehortua, Bug Bounty Program Leader, Mercado Libre
The hacking teams themselves are spearheaded by HackerOne Brand Ambassadors, top hackers in their region who unite the strongest members of their hacker communities to compete in regional teams from around the world.
The winning team last year was from Spain, headed up by Brand Ambassadors Carlos, aka hipotermia, and Diego, a.k.a @djurado. As Brand Ambassadors, they are responsible for recruiting local hackers and those interested in hacking into Spain’s Brand Ambassador club, coordinating with programs to create hacking events, and building the team that will represent Spain in the Ambassador World Cup.
“We believe that the success of our team is due to the wide variety of profiles we have, which allows us to have different approaches while testing. On the other hand, we have had a lot of collaboration between Spanish hackers and a great participation from 60-70% of our team members and even members who do not participate on a regular basis have joined this AWC edition with an outstanding contribution."
How Does the Ambassador World Cup Work?
Just like the FIFA football world cup, the Ambassador World Cup is played in rounds, with teams competing to qualify for the next round.
We start a qualifying round, of which the top 32 will move to the group stage. This then gets whittled down to sixteen, then eight, then four in the final round. Customers can take part in different rounds depending on their appetite for engagement.
Those customers taking place in the qualifying and group stage have the benefit of multiple teams all searching for high-impact vulnerabilities to report. The early stages also engage a bigger pool of hackers from a wider range of countries, so if a customer wants to incentivize activity in specific regions, the early stages are where they want to get involved. Those taking part in the later rounds benefit from a more focused, specialized approach from the most impactful teams.
In each round, participating customer programs will receive an increase in new, fresh hacker engagement to drive engagement and activity to their program’s approved scope. They will experience dedicated focus on their programs from some of the best hackers in the world. Participating programs will also have the opportunity to become more ingrained with the global community, create essential partnerships between enterprise programs and the community, and build new connections that will continue beyond the competition.
Spotlight on a Bug
During the 2023 Ambassador World Cup, Daniel Le Gall aka blaklis, a member of Team France which came in 4th in the competition, uncovered a critical issue within the scope of Adobe Commerce. This discovery highlighted a vulnerability that could lead to remote code execution under specific conditions.
Blaklis conducted a thorough audit of the Adobe Commerce source code, which he knows quite well after having hunted on the Adobe bug bounty program for several years, leading to the identification of an intriguing flaw in the input validation process of a particular feature which resulted in a complex remote code execution. Remarkably, this flaw didn't require any form of authentication to be exploited. Blaklis presented this vulnerability during an on-site presentation, showcasing its technical complexity, and was also granted the "Best Bug" award for the final phase of the competition. Responding promptly, Adobe fixed the vulnerability by releasing a new software version and assigned CVE-2024-20758 to address this specific issue. Blaklis’s efforts are not only helping Adobe products to be more secure, but also improving the security of hundreds of thousands of stores and Adobe customers worldwide.
A remote code execution is often among the most critical types of vulnerabilities that can be found on software and could have led to severe impacts for these software users, considering the sensitive information the software handles. This vulnerability type found can be associated with the CWE-20 category "Improper Input Validation," where many injection-related issues manifest, each with diverse impacts and consequences.
How Can I Take Part?
Are you looking to bring new engagement to your program? Are you interested in expanding your program’s outreach to the global community? There’s still time to get involved in the 2024 World Cup, kicking off in late May. Reach out to your customer success manager to learn more about how your program can engage in the 2024 tournament!
