1. Executive Summary
______
ExCom engaged HackerOne to perform a HackerOne Challenge, also known as a
crowd-sourced penetration test, from October 14th, 2019 to October 30th, 2019. During
this timeframe, 9 vulnerabilities were identified by 2 unique researchers.
During the assessment, 3 vulnerabilities were found that had a CVSS score of 7.0 or higher,
rating either high or critical. These vulnerabilities represent the greatest immediate risk to
ExCom and should be prioritized for remediation. Table 1 shows the in-scope assets and
breakdown of findings by severity per asset. Section 2.5 contains more information on how
severity is calculated.
Critical High Medium Low None Σ
api.excom.com/ 1 0 1 0 0 2
https://portal.excom.co
m/
2 0 1 1 0 4
https://dashboard.exco
m.com/
0 0 2 0 0 2
com.excom.excom 0 0 0 0 0 0
Mobile App 0 0 1 0 0 1
3 0 5 1 0 9
Table 1: Findings per asset
The security assessment was conducted using a crowdsourced penetration testing
methodology. From its community of over 600,000 hackers, HackerOne curated a set of
top-tier researchers to focus on identifying vulnerabilities in ExCom's scope during the
agreed-upon testing window, while abiding by the policies set forth by ExCom. Chapter 2
contains more information about the methodology.
2
