johnk

Hacking Dropbox Live in the Heart of Singapore at h1-65

Hacking Dropbox Live in the Heart of Singapore at h1-65

HackerOne’s first live hacking event in Southeast Asia, h1-65, kicked off during Black Hat Asia in Singapore! As one of the global centers for finance and business, Singapore has been described as one of Asia's economic "tigers" and is known for all things grand and luxurious and it did not disappoint! Dropbox joined us as the participating company, paying out over $330,000 in bounties to hackers who found vulnerabilities across Dropbox, Dropbox Paper, newly-acquired HelloSign, and third-party vendors that work with Dropbox.

Soaking Up the Sights
The h1-65 festivities kicked off with a gourmet bus tour of Singapore, including a Michelin star rated lunch, followed by a walk through the iconic Gardens by the Bay at the base of the Marina Bay Sands. Nothing like fighting jet lag with some of the most beautiful scenery and food in the world.
 

@cache-money checks out Singapore’s Chinatown during the gourmet bus tour
 

@ramsexy walk through the Gardens by the Bay at the base of the famous Marina Bay Sands

The Big Day
Dropbox is recognized as industry leading in the security field. Their engineers regularly contribute to security research, share best practices, and have run a public bug bounty program since January 2015. Since then, the team has paid out over $250,000 and resolved over 250 vulnerabilities thanks to nearly 200 hackers who have participated. For h1-65, they wanted to do something new.

“As a hacker myself, I know what hackers look for when they evaluate programs and when they come to live hacking events,” said Nathanial Lattimer, Dropbox bug bounty program lead (aka @d0nut). “We wanted to create a scope that was truly enticing and engaging with a group of hackers that we wouldn’t be able to assemble anywhere but this live hacking event in Singapore with HackerOne.”
 

Left to Right: Hackers @corb3nik, @teknogeek and @filedescriptor collaborate during h1-65

Dropbox and HackerOne invited 45 hackers from 11 countries including Singapore, the United States, Sweden, Canada, India, the Netherlands, Japan, Australia, Belgium, Hong Kong, The United Kingdom, and Portugal. They gathered to hack new scope and Dropbox core assets at Huone Event Center in the Clarke Quay area of Singapore. In the days leading up to the event and over the course of 8 hacking hours at h1-65, 39 hackers reported 264 vulnerabilities across all applications and vendors in scope. In return, Dropbox paid $336,479 in bounties to hackers for their contributions to better security.

“Dropbox invests heavily to build a security team comprised of the best talent in the industry,” said Rajan Kapoor, Director of Security at Dropbox. “Our HackerOne bug bounty program has one of the most permissive scopes in the industry. This allows us to work with security researchers to test the broadest attack surface possible. The impressive contributions from the community have made Dropbox, and the internet as a whole, a safer place.”

Left to Right: Rohan Sharma, Ian Carroll, Nathanial Lattimer, and Brad Girardeau from Dropbox’s security team discuss bugs and bounties in the h1-65 war room

Drumroll please...it’s time to announce the winners!

  • The Exalted went to @inhibitor181 for the most reputation earned at the event
  • The Exterminator went to @intidc for the best bug of the event (as chosen by HackerOne and Dropbox) 
  • The Assassin went to @inhibitor181 for having the highest signal at h1-65
  • And finally, the coveted MVH: Most Valuable Hacker (chosen by HackerOne and Dropbox) went to @smsecurity, a first time belt winner!

Thank you to all the hackers for joining us in Singapore, and congrats to our winners!

@smsecurity accepting his MVH belt at h1-65

Closing with a Flash
After winding down from the previous day’s excitement, on Saturday the group was treated dinner and drinks followed by Garden Rhapsody — the nightly light show at the Supertree Grove in the Gardens by the Bay. And what a show it was! Beautiful lights set to a timed display from classic songs from Back to the Future, Star Wars, and more.

@teknogeek enjoys the electric light show in Singapore’s Supertree Grove

...And That’s a Wrap!
Thank you to Dropbox for helping create a truly amazing event, with a scope that surprised and delighted. We are so grateful for your commitment to the hacker community, for your creativity, and for fostering relationships with care. And thank you to the hackers! Because you continue to show up, work hard and relentlessly tackle challenging attack surfaces, the internet is more secure. Thank you. This was another one for the record books and travel blogs!
 

Hackers, Dropbox, and HackerOne staff at the close of the first h1-65 in Singapore!

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report