luke

Live Hacking Events: Stats, invitations, and what’s next

Live Hacking Event

Our tagline, “Together We Hit Harder” is born of the belief that when hackers and security teams are connected, security improves. Nothing captures that truth better than live hacking events (LHE).

This post is about what LHEs are, how hackers can increase their chances of being invited to hack, and where we see these events expanding.

A brief history of HackerOne Live Hacking Events

Live hacking is a unique type of bug bounty engagement in which hackers from all over the globe fly in to participate in an in-person, timeboxed testing period focusing on a targeted set of assets. This traditionally includes two-weeks leading up to the event culminating in 2-3 days in a particular city. During those several days, we bring the programs' security teams and hackers together for social activities, sightseeing, knowledge-sharing, and of course, lots of hacking.

Special scopes are released for more compelling testing, companies are encouraged to provide metadata or unique feature access for additional research, cash bonuses and bounties are offered, and there’s a leaderboard for the event with awards for the top hackers for best bug, best signal, highest reputation gain, and the best hacker of the event (Most Valuable Hacker).

We also host additional events such as hacking workshops for student groups, structured hacking mentorship sessions with an emphasis on diversity & inclusion, and we have also run job recruiting workshops.

The first live hacking event was set up by Frans Rosen, and Justin Calmus in 2015. They invited friends that were in town attending DEF CON to a suite at the MGM Grand in Las Vegas for 8-hours of solid hacking. You can read more on this in Frans’ BountyCon 2019 keynote.

HackerOne’s first live hacking event, h1-702, was in Las Vegas in August 2016 during DEF CON and spanned 3-days, paying out over $150K to a group of about 30-hackers. Live hacking events have come a long way since then, improving the structure and experience for top hackers and customers alike. To date, HackerOne has hosted 17 events, with 13 customers, totaling 33 days of hacking in 10 different cities around the world.

 

0xacb and teknogeek: From CTF winners to MVH’s

In early summer 2017, HackerOne published a capture the flag (CTF) contest where the winners that found all the flags the fastest with the best writeup would be invited to the h1-702 live hacking later that year. André Baptista (@0xacb) and Joel Margolis (@teknogeek) both were winners for that CTF.

André attended h1-702 2017, but found no bugs. After the event, he made it a point to focus on bug bounty, with the goal to earn his way back to a live hacking event. And that he did, winning another CTF and earning a spot to attend h1-202 in Washington DC with Mapbox. His performance won him the Most Valuable Hacker belt, the first and only time a CTF winner has won the MVH belt at the event they were invited to as a result of their CTF win.

André has continued to submit impactful vulnerabilities, including a $25,000 bug on Shopify, and in collaboration with another hacker, Fisher, he achieved a LHE record cash bonus on an account takeover challenge put forth by Verizon Media during the h1-415 2019 event.

Joel also attended h1-702 2017, and had a bit more luck than André at that event, finding a mobile vulnerability on a target, earning himself $3K. From there, Joel has since attended multiple live hacking events, winning various awards including the h1-212 2018 Most Valuable Team belt, and now has worked on both sides of the table, as he’s a Security Engineer at Uber, which has participated in 3 live hacking events to-date.

Both began humbly in applying their CTF skills to bug bounty, and we are so proud to see them continue to crush it. Well done André and Joel!

Live hacking event invitation overview

There are so many quality hackers in our community. Unfortunately, we can't invite everyone to attend and in the past there has been little transparency about how invitations are determined. Today, we're changing that. We’ve boiled down invite considerations into three main categories: critical reports, consistency, and community. Let’s dive into each.

Criticality: Impact of reports

  • Average severity of bugs submitted on the platform
  • Number of reports submitted with a severity of High or greater
  • Number of critical bugs submitted in the last year to all programs and to the target’s program
  • Past LHE participation (# of critical reports submitted, how many show and tell selections, how many awards received (MVH, Exalted, Exterminator, Assassin, etc.), amount of bounties earned

Consistency: Frequency and recency of activity

  • Activity in HackerOne programs (Report submission count and bounties earned in the past 12-months, 6-months, 90-days, 1-month) 
  • Prioritization is given to hackers that are active on the customers’ program first and the HackerOne platform as a whole second
  • Writes quality reports and submits detailed proofs of concept

Community: Collaboration and kindness

  • Demonstrated, either at past live hacking events, through platform interactions, or observed social media engagement, a desire to support the hacker community and work together with other hackers
  • Number of reports the hacker was added as a collaborator to or invited other collaborators to
  • Involvement in mentorship programs, hacker community outreach, etc. 
  • Exhibited professionalism in platform interactions 
  • No code of conduct violations in the past 3-months 

Other categories

  • Geographic location: hackers within close proximity to the city we’re hosting the live hacking event in will also be considered for an invite.
  • Mentee program: HackerOne hosts mentorship events with select invited participants (see Mentorship Program and Community Days section below for more information).

 

At each event, we have +1 hackers and requests for remote participation. Here’s how we approach those:

  • Plus 1 invite limits: Invited hackers are allowed to bring a non-sponsored +1 guest to hack and participate in the event. We are pleased to offer this option, but note that the +1 invitation count may be limited or removed at any time.
  • Remote participation: Prioritization goes to those who are not able to attend in person due to visa issues. Typically not offered unless extenuating circumstances won’t allow a hacker to attend or a target customer asks specifically for a particular hacker.

Please note, hacking at live events is a privilege. As much as we’d like to invite everyone, unfortunately we can’t. The above are guidelines we follow. Invitees do not need to meet ALL the above categories; they are elements that we consider. Note, we do reserve the right to decide whom to invite and whom not to, and we can’t necessarily disclose the actual consideration in any given case. If you have been invited to a live hacking event in the past, that does not guarantee you an invitation to future events. Further, the customers we partner with for a LHE are involved in the invitation process and may request specific or veto invitation selections. This criteria for invitations could be changed at any time and may vary per event, but we will notify you if we ever do change the overall guidelines.

There’s also a video with the hacker Stök that was filmed during h1-65 in Singapore that discusses some of these points at a high level. Take a look!

Mentorship Program and Community Days

Community days at LHEs bring local cybersecurity focused organizations like preparatory schools, groups like Cyber Patriots, Hack the Hood, Black Girls Code, and WiSP together with top hackers and educators. Each community day starts with a hacker sharing their journey, with some tips and advice for attendees. Then, a diverse career panel discusses the many types of jobs available in the security industry and discuss their personal journeys. Attendees are then led into a lecture-driven educational session with capture-the-flag challenges, building on the Hacker101 curriculum.

While we were building the community day program, we noticed experienced hackers would bring new hackers as their “+1 invites” to live events. From that observation and other conversations, we developed a mentor program that focuses on diversity and inclusion. This is typically an option for those local to the city where we are hosting a live event. They experience the full event along with the other hackers plus receive advanced instruction and guided mentorship.

Check out some of the recent recap blogs for h1-415 2019 and h1-4420 2019 for details of the mentorship programs. Exciting things to come!

Live hacking to the moon and back

Maybe One day we’ll do a live hacking event in outer space. :) Until then, we’ll keep hacking here on planet earth. Here’s what we’ve got in store for the remainder of 2019!

 

So how do we decide which cities to host events in? It’s definitely not a hard science, but some factors we consider are: cities where HackerOne has an office already, cities that host major security conferences, cities where our customers' headquarters are, and cities that are new or fun. This year, we are hosting an event in 3 first-time cities: Singapore, Vancouver, and Los Angeles. What new cities should we do in 2020? Tweet at us with your ideas :).

The future of live hacking events

Expanding live hacking events to include different formats and engagements is something we are very excited about. And we’ve got a dedicated and experienced team leading the charge. If you’re a customer interested in a live hacking event, please discuss with your account representative, or if you’re a hacker and you have any questions for the team, let us know. Want to host a live hacking meetup in your hometown like @samuux did in Santiago, Chile recently, send us an email for consideration!

Happy hacking!
Luke

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report