Bringing the Heat to Vegas: Recapping record-breaking h1-702
Prior to attending Hacker Summer Camp, there were whispers (or roars) of the infestation of grasshoppers in Las Vegas, Nevada. Local and national news outlets shared horrifying images that would surely haunt any entomophobia dreams. We have to admit, we shared in the panic. What were we going to do when we descended to Vegas and were haunted by the chirping masses? And yet when we landed, there was no sight of the creatures. Hacker Summer Camp, sprawled out over several locations of iconic Vegas. BSides LV, Black Hat USA, h1-702 and DefCon, were virtually bugless. Of course, any hacker knows that just because you can’t see a bug immediately, doesn’t mean it isn’t there.
And the hackers of h1-702 certainly found bugs. The largest amount of participating hackers ever for a live event submitted over 1,049 security flaws to customers over 3 days. This was the highest amount of vulnerabilities reported during a live event. The creativity and hard work it took to report more bugs than ever before resulted in a record-breaking nearly 2 million dollars in bounties being paid out to hackers from the three participating organizations.
Swinging into Action —
To celebrate the start of an un-fore-gettable event, hackers gathered at Top Golf for great food, conversation, and golfing. The crew enjoyed practicing their golf swings while mingling with other attendees of h1-702. Live hacking events, like h1-702, are a unique type of bug bounty engagement in which hackers from all over the globe participate in a timeboxed testing period focusing on a targeted set of assets. The relaxing outdoor atmosphere of Top Golf was the perfect way for the crew to gear up for an invigorating challenge of three nights of hacking.
Viva Hack Vegas —
Hosted at the SLS hotel, hackers and customers enjoyed four floors of custom-designed hacker-space, including a wet deck with technology-equipped cabanas. With the intention to celebrate the hacker in all of us, h1-702’s space fostered and reflected the same creativity needed from the team to break through the tough targets of h1-702.
With a contagious energy, hackers diligently collaborated through the evening hours to find critical vulnerabilities in the first target. As hacking wrapped at midnight, the first night of h1-702 resulted in 637 report submissions and over $745,164 in bounties awarded!
To wrap up this incredible first day, we concluded with the fan-favorite — Show and Tell. During Show and Tell, selected hackers shared with their peers the coolest, or most challenging bug they found. When Show and Tell concluded, awards were handed out to uproarious applause on this historic night.
Hack Life —
Powered by the vitality of the first night’s success, hackers were ready to meet the second day of h1-702 with gusto. In 2014, GitHub launched its Security Bug Bounty program. Motivated by the desire to keep GitHub users and the platform secure, the team has continuously worked closely with hackers through their program.
“Inviting hackers from around the world to hack the GitHub platform has been one of the most rewarding components of our bug bounty program to date,” said Greg Ose, Application Security Engineering Manager at GitHub. “Spending time with the hackers with whom we’ve worked with for half a decade, and getting to meet new hackers who just filed their first bugs to our program, has been invaluable. This is one of our favorite parts of participating in live hacking events. Our relationship with the hacker community is critical to the success of our bug bounty program."
Furthering the spirit of collaboration, h1-702 was also home to a well-rounded community and mentorship program. 75 non-binary and women-identifying individuals were invited to hands-on hacking training. The night started off strong with Jesse Kinser's overview of bug bounty hacking. Jesse introduced the new hackers to security concepts and great tools and reminded them that the most important tools a hacker uses are patience and creativity.
Prepared for the life-long learning ahead of them, Head of Education, Cody Brocious, (@daeken), took the stage and taught participants the basics of the hacker mindset, how various vulnerabilities function, and how to hunt for bugs. Attendees then proved their skills on the Hacker101 CTF with the help of Hackeronies and Elite Hackers who took time out of hacking to be on hand for questions. Several attendees even earned their first private program invitations during the session! We cannot wait to see these hackers join our elite ranks at future events.
As we’ve said before, fostering and growing the hacker community takes a village. We’re incredibly proud to partner with amazing groups like Women In Security and Privacy (WISP) and Cyberjujitsu to continue supporting our mission of building a safer internet, which we believe is possible with the problem-solving attributes a diverse community provides.
With a mentorship program devoted to bringing out the best in our hackers, we were thrilled to partner h1-702 hackers and mentees together to collaborate during the event this year. Five mentees were partnered with four hacker mentors. The mentees had a recon workshop, taught by recon king Ben Sadeghipour (@nahamsec), a Burp Suite lesson by Cody (@daeken), and a methodology workshop by Inti De Ceukelaire (@securinti) prior to the event.
“Being immersed and involved in the onsite event overall. Aside from the technical aspects, feeling the "energy" of everyone hacking is motivating. Having access to mentors and other hackers was truly helpful.” - Mentee attendee, @cyberjin
Crit City —
Verizon Media is synonymous with stellar live hacking events. h1-702 2019 was its sixth live hacking event in two years. The security team, aptly named The Paranoids, was intended to build on their well-earned event reputation as a live hacking powerhouse. Through the talent of the hackers and collaboration from The Paranoids, Verizon Media paid out the highest amount of bounties in a live event...ever.
“We consider our bug bounty researchers an extension of our team, and these live hacking events help us strengthen our relationships and empower our community. Not only did we reward participating hackers a record-breaking $1 million over a 10 hour time period, but also celebrated our own Mark Litchfield (@mlitchfield) surpassing over $1 million in bounties collectively on the platform. The passion we see from these hackers about our program is palpable, and that enthusiasm for finding bugs within our brands ultimately strengthens the security of our platforms.”
The record-shattering evening was the perfect denouement to an astounding h1-702. Started five years ago, h1-702 has grown leaps and bounds. This is thanks to amazing customers, like GitHub and Verizon Media, and, of course, it would absolutely not be possible without the talent, passion, and drive of the hacker community.
“Five years ago, the first h1-702 was an impromptu gathering of about 20 people in an MGM Skyloft,” said HackerOne co-founder Jobert Abma. “Some cool bugs were found, but nothing out of the ordinary. It was analogous with the state of the community: we worked alone and didn’t share. About $100,000 was paid in rewards. Over the years, something changed. People started to see that working together resulted in more creative, more severe vulnerabilities and that people were there to celebrate and have fun together. This year, 100 hackers gathered at h1-702, some of whom were also at the first edition. It was a lively, collaborative environment where people shared their knowledge and celebrated together. It resulted in nearly $2 million in rewards.”
Here’s to Hackers —
Every contribution from participating h1-702 hackers was an incredible testament to the power of crowdsourced security, but some submissions stood above the rest. We are incredibly proud to recognize these hackers as the best hackers over the three days of h1-702, and, of course, the recognition for the entire event’s Most Valuable Hacker.
Congratulations to @try_to_hack, @corb3nik, and @mayonaise for winning the top nightly honors. At the conclusion of three consecutive nights of hacking, customers and HackerOne staff selected the top overall MVH — or Most Valuable Hacker — of the weekend, @inhibitor181.
Our team is thrilled to continue to build live events that foster collaboration, knowledge-sharing, and diversity. We are dedicated to giving the best experience to the community and customers who enable us to build on our mission of making the internet a safer place to be, and we thank them for the opportunity to continue to do what we love.
We have more great events coming up soon:
September 21, 2019 - Vancouver, Canada
November 7, 2019 - November 9, 2019 - Los Angeles, California
Stay tuned for more details and, as always, happy hacking!
The 7th Annual Hacker-Powered Security Report