London Called, Hackers Answered: Recapping h1-4420
On an unseasonably sunny summer day, hackers from around the world descended on London, England, not to see an unobstructed view of Buckingham Palace, but to break into one of the most innovative brands today in what has been dubbed the greatest city for innovation. On June 8, 2019, HackerOne and Uber partnered for their third live hacking event to date — h1-4420. For three days, London became the scenic backdrop to our mission: to empower our community to make the internet — and Uber — safer. Over nine hours of hacking, $375,000 in bounties were paid to hackers for more than 150 unique submissions.
Day 1 — London Called, We Answered
Celebrating the conclusion of another successful year at InfoSec Europe, one of the largest security conferences in Europe, and the beginning of h1-4420, industry leaders and hackers came together for an evening networking and socializing at Latmyer’s pub. With plenty of delicious bites and enthralling conversation, the team was in good spirits going into a full day of hacking one of the world’s premier ride-hailing giants.
Day 2 — Hackers of London
Recently named one of the Top 20 Public Bug Bounty Programs on HackerOne, Uber has a long-standing history of working side-by-side with hackers to protect their users. Since their program’s inception, Uber has paid out over two million in bounties, thanked over 600 hackers, and resolved over one thousand reports.
“Working with hackers to find and resolve vulnerabilities is an important part of Uber’s ongoing commitment to safety, which includes the security of our products,” said Lindsey Glovin, Bug Bounty Manager at Uber. “Our relationship with the research community is critical to the success of our bug bounty program and live hacking events give us the opportunity to thank them in-person while amplifying the value they contribute to Uber’s security efforts.”
No stranger to live hacking events and the volume of valid vulnerabilities they can produce, Uber and 36 HackerOne hackers from 17 countries across the globe worked swiftly to find vulnerabilities in Uber, Uber Eats Restaurants and Uber Freight. In the days leading up to the event and over the course of the day at h1-4420, the vulnerabilities discovered earned the following hackers top marks.
@fransrosen - The Exterminator (best bug)
@ngalongc - The Exalted (most reputation earned)
@inhibitor181 - The Assassin (highest signal)
From those who have hacked on Uber’s program for years to hackers who explored the assets for the first time, every hacker contributed to the success of h1-4420.
Included in that contribution were local, eager, and new hackers. Throughout the live hacking event, mentors paired with mentees who helped to answer questions and creatively solve challenging problems. Through this teamwork, hacker @InsiderPhD, was able to report not one, but two valid vulnerabilities, earning her first (of hopefully many) bounties!
And let’s cheers to h1-4420’s Most Valuable Hacker (MVH), @tomnomnom. Recently, @tomnomnom had taken a break from bug bounties and had addressed publicly the struggles of burnout. Coming back to the hunt with fervent energy, enthusiasm and determination at a live event earned him the MVH belt. From all of us on the HackerOne, we’re proud of you, and congratulations!
“It truly was an absolutely amazing day. The atmosphere, the findings, and most of all: the people; the whole community is the most welcoming and supportive I've ever had the fortune to be a part of. The feeling when I got a big payout and half the people in the room rushed to congratulate me is one that will stay with me for a very long time. And to win the Most Valuable Hacker award on top of that? It's just indescribable.” - @tomnomnom
To end the day, Uber’s CISO Four gave closing remarks, which underlined the importance of creative problem-solving to practice security that better protects users. Although live hacking events may only take place over the course of a day, the impact of international collaboration and infrastructure secured lasts far longer.
Day 3 — Here Comes the Sun
To celebrate the vulnerabilities found and teams built during h1-4420, the hackers joined together to explore the city on an educational cruise along the River Thames. During the tour, the team was able to take in historical landmarks like the London Bridge, Big Ben, and the MI6’s iconic building.
Thank you to Uber for supporting this incredible event. We are proud to partner with you and support your commitment to giving your users a safe digital experience. And thank you, again, to our talented and creative hackers. As always, we enjoyed getting to witness your collaboration and work by your side.
Our live events hold a special place in our hearts and we have exciting news to share. During the wrap of h1-4420, HackerOne announced the next three upcoming live hacking events.
August 8, 2019 - August 10, 2019 - Las Vegas, Nevada
September 21, 2019 - Vancouver, Canada
November 7, 2019 - November 9, 2019 - Los Angeles, California
Stay tuned for more details and, as always, happy hacking!
The 7th Annual Hacker-Powered Security Report