HackerOne, a hacker-powered pentesting and bug bounty platform, announced hackers earned more than $1.9 million in bounties during Las Vegas live hacking event, dubbed h1-702. Hackers found and reported 1,000 security flaws for participating companies.
Amidst Black Hat USA and DEF CON security conferences in Las Vegas, 100 hackers and 75 hackers-in-training from around the world gathered for three days to search for vulnerabilities in organizations including Verizon Media and GitHub, among others. At the end of the three days, hackers earned a record-breaking $1,902,668 in bounties, $1M from Verizon Media alone.
HackerOne’s live hacking events (LHE), started in 2015 in Las Vegas, are in-person bug bounty events where a diverse group of skilled hackers is invited to look for security flaws on specific assets in exchange for an award.
These events are different from ongoing bug bounty programs as they are in-person. During the event, hackers and organizations’ security teams work side-by-side to identify, validate, and award hackers for reported security vulnerabilities.
HackerOne has hosted 36 days of live hacking, across 18 events, with 13 different customers, including the U.S. Marine Corps, U.S. Air Force, Dropbox and Shopify in 10 cities around the world. Thirty percent of vulnerabilities found during LHE are deemed high to critical in severity on average.
During the three day event, hackers were competing for more than just bounties – @try_to_hack, @corb3nik and @mayonaise won top nightly honors. The h1-702 2019 event winner was @inhibitor181, who was selected as the Most Valuable Hacker (MVH).
Hacker awards and honors are based on the number of valid security vulnerability submissions reported, HackerOne’s proprietary reputation score, and cumulative bounties earned.
h1-702 2019 was Verizon Media’s sixth live hacking event in two years and the security team, known as The Paranoids, awarded hackers an impressive $1 million, the highest payout from a customer during an event. This comes at a time when nearly every technology leader is announcing bug bounty programs with recent award increases announced by Apple, Google and Microsoft.
“Our bug bounty program is an integral part of security at Verizon Media,” said Chris Holt, Senior Technical Security Engineer at Verizon Media.
“We consider our bug bounty researchers an extension of our team, and these live hacking events help us strengthen our relationships and empower our community.
“Not only did we reward participating hackers a record-breaking $1 million over a 10 hour time period, but also celebrated our own Mark Litchfield (@mlitchfield) surpassing over $1 million in bounties collectively on the platform.
“The passion we see from these hackers about our program is palpable, and that enthusiasm for finding bugs within our brands ultimately strengthens the security of our platforms.”
In 2014, GitHub launched its Security Bug Bounty program. Motivated by the desire to keep GitHub users and the platform secure, the team has continuously worked closely with hackers through their program.
“Inviting hackers from around the world to hack the GitHub platform has been one of the most rewarding components of our bug bounty program to date,” said Greg Ose, Application Security Engineering Manager at GitHub.
“Spending time with the hackers with whom we’ve worked with for half a decade, and getting to meet new hackers who just filed their first bugs to our program, has been invaluable. This is one of our favorite parts of participating in live hacking events. Our relationship with the hacker community is critical to the success of our bug bounty program.”
Community Day for hackers in training
Furthering the spirit of collaboration, h1-702 was also home to a community and hackers-in-training mentorship program. As part of the Community Day, 75 non-binary and women-identifying individuals were invited to a hands-on hacking class, taught by HackerOne head of education, Cody Brocious (@daeken).
The group also heard from Jesse Kinser (@randomdeduction), who gave an overview of her experience as a hacker while also providing insight into the hacking tools and programs to invest time in.
“Five years ago, the first h1-702 was an impromptu gathering of about 20 people in an MGM Skyloft,” said HackerOne co-founder Jobert Abma.
“Some cool bugs were found, but nothing out of the ordinary. It was analogous with the state of the community: we worked alone and didn’t share. About $100,000 was paid in rewards. Over the years, something changed.
“People started to see that working together resulted in more creative, more severe vulnerabilities and that people were there to celebrate and have fun together.”