Important Links:
Registration
The Paranoids Event Overview
The Paranoids Event Insights
Contact h1-2010@hackerone.com for any questions!
We are so excited to have you participate in h1-2010! Live Hacking Events are an experience like no other. For all you first-timers, below is a quick guide for what to expect at an event and frequenty asked questions.
Q: What should I expect from a live hacking event?
A: The environment at a Live Hacking Event is like nothing you’ve ever seen. Anywhere from 50-100+ hackers from all over the world come together to hack against interesting targets with competitive scopes, and awesome bounties in a timeboxed setting. You will get to engage directly with the security teams from some of the most recognizable companies in the world, teams like The Paranoids!
This event, h1-2010, is virtual and the largest live event ever attempted. h1-2010-Open (September 22-26, 2020) is open to all Hackers on the HackerOne platform. Haven’t registered? Register here! The top 50 Hackers from h1-2010-Open and six Golden Ticket winners will be invited to h1-2010-Qualifier (October 8-14, 2020). Finally, the top 25 Hackers from h1-2010-Qualifier will be invited to h1-2010-Final (October 21-27, 2020) with the closing ceremony, winners and awards being announced on October 30, 2020.
Q: I missed registration! What do I do?
A: Email h1-2010@hackerone.com and we will send you an invitation within 24 hours!
Q: How do we talk to each other, HackerOne, and The Paranoids?
A: During the h1-2010-Open, we will be connecting via Hacker101 Discord:
- This is where you can chat with hackers, collaborate before the event, ask questions of your fellow community, the HackerOne team, and the The Paranoids. Please keep things professional, but fun!
- We’re all remote, so please engage with each other as much as you’d like. Want to create a gaming team? Want to do virtual Pictionary? Any other ideas? Let’s set it up!
Here are some channels you should pay special attention to:
- #h12010-announcements: General channel where we’ll share announcements about the event!
- #h12010-be-yourself: Share quick bio, focus areas, and any other info you want! This is a great way to get to know your peers in this event and set up interactions going forward as well as find people to collaborate with!
- We encourage you to share personal details too!
- What does your hacking setup look like?
- What do you like to do in your free time? Share pics of your pets!
- #h12010-hacking-questions: This is the space to ask any questions specific to the scope, access, questions on your bug, questions for triage team, etc. The Paranoids and HackerOne teams will be available to assist!
- #h12010-event-questions: Any questions regarding event logistics or general questions, drop them here!
- #h12010-memes: Toss any fun infosec memes or memes you created in this channel! (keep ‘em appropriate and keep ‘em clean)
Q: I have a question about a bug that I don’t want to drop in a public channel. Who can I reach out to?
A: If you have specific report questions or want to chat it through w/ The Paranoids before you file, reach out to BugBountyHQ-0101#0670, c0ldbr3w aka zom_snack#4597or flyingtoasters-VzM#5091
Q: I don’t have access to Hacker101’s Discord! What do I do?
A: Click here to create an account or sign in.
Q: How do I know if I should submit this report or not?
A: Short answer: If you believe it is a valid security issue and have a working POC and it is in the scope outlined in the program policy, submit! Worried about an informative affecting your rep? Good news, informative reports no longer affect your reputation. See a recent blogpost for more details: https://www.hackerone.com/blog/reputation-signal-impact-enhancements-whats-changing-and-why-it-matters
Q: What is the scope call with The Paranoids and HackerOne? A: Everything you need to know to hack! During this call, the live hacking event manager from the HackerOne community team will go over all of the event logistics, participation guidelines, and next steps. The Paranoids team will outline everything in scope, key focus areas, do’s and don’ts of testing, as well as go through their bounty table, mention and/or hint at bonuses, and give you all (the hackers) a chance to ask any questions you might have!
- Ask questions via Twitch chat and in the appropriate Discord channels!
- A great way to prepare yourself would be to read through the program policy for Verizon Media’s public bug bounty program: https://hackerone.com/verizonmedia.
Q: When is the scope call for H1-2010-Open?
A: The scope call will be streamed on Tuesday, September 22, 2020 at 15:00 UTC on HackerOne Twitch.
Timezones are tricky! This tool helps!
Q: When do H1-2010-Open submissions begin?
A: You will be invited to the event’s program immediately following the scope call. The program will be available for you to submit reports as soon as you have accepted the invitation.
Q: I agreed to the H1-2010 Rules of Engagement through the platform when I accepted the invitation. Where can I find that information to refer back to?
A: H1-2010 Live Hacking Rules of Engagement
Q: Will there be a “dupe window” during any point of this event? Also, what is a “dupe window”?
A: During a set time period for each of those phases, any duplicate reports will have their bounties split evenly across all reports. We will communicate when the dupe window is planning to be closed. Once closed, all dupes will be marked as such. There will NOT be a “dupe window” for h1-2010-Open. There will be one for h1-2010- Qualifier and h1-2010- Final rounds!
Q: How are bounty decisions made?
A: Bounty decisions are based on the bounty table listed in the private program policy page and a rigorous review process. Sometimes this means that it can take a while to determine your bounty amount. For this event, our goal is to have bounties determined as quickly as possible so they can be paid out during the event.
Q: You keep mentioning all these terms! I don’t know what anything means?
A: Completely understand! Live Events are a new ballgame for many of you. Here are some key terms to help you navigate:
1. Leaderboard
- This will show you where you and your fellow hackers are currently ranked.
- Ranking is determined based on the total amount of bounties each hacker has earned.
- During the event, the leaderboard is updated live!
- Access at hackerone.live
2. Awards
- After the last reports are triaged and bounties paid, both Paranoids and HackerOne awards are given at the end of the h1-2010 event, and will be shipped along with Award winners swag:
HackerOne Trophies for H1-2010-Open:
- 1st Place in Bounties
- 2nd place in Bounties
- The Exterminator – Best Bug of the h1-2010-Open
- The Vigilante – The Most Valuable Hacker of h1-2010-Open
HackerOne Trophies for H1-2010-Qualifier:
- 1st Place in Bounties
- 2nd place in Bounties
- The Exterminator – Best Bug of the h1-2010-Qualifier
- The Vigilante – The Most Valuable Hacker of h1-2010-Qualifier
HackerOne Trophies for H1-2010-Final:
- 1st Place in Bounties
- 2nd place in Bounties
- The Exterminator – Best Bug of the entire h1-2010 Event
- Best Hacker Collaboration – HackerOne values Community and Collaboration, and this award celebrates that. Winners will be selected based on similar criteria as the MVH: critical and quality reports, collaborating well with others, sharing tools and resources, and volunteering your valuable time for others.
- The MVH: Belt Winner – This decision is determined by both HackerOne and The Paranoids. This is a qualitative decision that is based on Consistency, Criticality and Community just like the previous!
(You can read a bit more about HackerOne Awards in this 2019 blogpost)
The Paranoids Awards:
- Paranoids #1, #2, #3 Hacker
- At the very end of the event The Paranoids will deliver a unique prize ring to the hackers who hold the #1, #2 and #3 slots on the final leaderboard.
3. Bonuses
- The Paranoids will often issue additional monetary rewards on top of the bounties earned for awesome prizes. The bonuses up for grabs are:
- Paranoid Asked you to Stop Testing
- Up to 5 of these will be available in h1-2010-open, h1-2010-qualifier and h1-2010-final each.
- When asked to stop, you must stop what you are doing and file a report with the information you have at the time you were asked to stop. You’re welcome to include conjecture, but that will not guarantee a higher bounty.
- Paranoid Asked you to Stop Testing
- Show & Tell is a special bit of fun for live events. Moving into the virtual realm, we have broken the standard S&T award into two pieces: Prepared and Presented
- Show and Tell – Prepared
- Up to 10 of these will be available in h1-2010-open, h1-2010-qualifier and h1-2010-final each.
- The Paranoids will select reports and ask you to prepare and record a 5-10 minute presentation about it.
- Show and Tell – Presented
- Up to 10 of these will be available in h1-2010-qualifier and h1-2010-final each.
- Not all presentations will be eligible to be displayed to the audience. If your presentation is selected for sharing, you’ll earn an extra bonus.
- Show and Tell – Prepared
- Daily Hacker Feature
- Each day of the entire event, we will announce a Paranoids’ selected “Hacker of the Day”. This can be earned by finding a super critical bug, writing an amazing report, developing the most user friendly proof-of-concept, being a true leader and companion in the hacker community, or anything else that makes you stand out.
- Best Report
- Up to 4 of these will be available in h1-2010-open, h1-2010-qualifier and h1-2010-final each.
- All valid reports earn bounties, but they are not created equally. Write an amazing report in order to earn this award.
Q: What is the social media policy?
A: HackerOne and the Paranoids are stoked to have you share and share and share on social media. Be creative and have fun but always keep in mind the following guidelines:
- Please feel free to tweet using the hashtag: #h12010 and #hackforgood and tag @Hacker0x01 and @TheParanoids.
- DO NOT post any sensitive details like scope, accounts, recon data, documentation. Absolutely no public posts on show & tells, live testing, vulnerability information, etc. This could earn you a ban from this and all future events, and potentially more consequences.
- During the event, please be sure to obtain permission from all parties in photos/videos before posting publicly especially screenshots from Discord, Slack, and Google Hangouts.
- When in doubt, ask before you post.
Remember, always be kind and courteous to the fellow hacker community! Refer to our Live Hacking Rules of Engagement for reference.
Q: How will the leaderboards be ranked? After each round, will the leaderboard be reset?
A: There will be a separate leaderboard for each portion of the event: H1-2010-Open, H1-2010-Qualifier, and H1-2010-Final. The leaderboard will be ranked on bounties and the top 50 from H1-2010-Open will move on to H1-2010-Qualifier. The top 25 from H1-2010-Qualifier will move on to H1-2010-Final.
Q: What does collaboration mean?
A: Two or more hackers working together to find and file a bug. You can use the HackerOne platform’s built-in “Collaborator” features to invite partners to your report so you can split a bounty. You can weigh each collaborator’s bounty as a percentage based on contributions and impact to the bug itself, split bounties evenly across all those on the report, or however you would like.
Note: the submitter of the bug does not have to carry the largest bounty weight, but they will be the only one to earn reputation, signal and impact points.
Note: Hackers are ONLY allowed to collaborate with the hackers registered and participating in the same round. For example, if you move on to H1-2010-Qualifier, you may only hack with fellow hackers in that round as it will have a specific scope private to that round and collaborating with others outside the event is a violation of our Rules of Engagement.
Q: I have a Golden Ticket, does that let me bring my friends into the H1-2010-Qualifier event?
A: No. The Golden Ticket is good for you alone, not you + hackers you would like to collaborate with.
Q: Is the scope going to be cumulative or is each round going to have a unique scope?
A: Each round will have a unique scope; it will not be cumulative.
Q: Is the golden ticket for the h1-2010 event or the next one?
A: The six Golden Tickets guarantee entry into the H1-2010-Qualifier event. If you decide to fight into the top 50 from the Open, great! If you decide to sit back and just use the ticket to get you into the next round, that works too; Golden Ticket is guaranteed entry into H1-2010-Qualifier, regardless of your rank in H1-2010-Open.
Q: Will there be an issue with the 5-report limit for new accounts?
A: Nope! For three reasons:
1. The HackerOne Triage team will be triaging instantly and not waiting until after each dupe-period ends.
2. We’re able to bypass the rate limit for hackers individually if they face any issues.
3. Once an account submits a valid report, the limit is no longer in effect for the program/event.
Q: Will there be swag?
A: Yes! Each phase will have its own swag bundle from both HackerOne and the Paranoids. These will be sent (digitally and/or physically) after the culmination of the event with the address submitted from the registration form. Closer to the conclusion of each phase, HackerOne and Paranoids will share what swag items you can expect to receive.
HackerOne Swag:
H1-2010-Open: All participants will receive digital swag that will be sent via email.
H1-2010-Qualifer: These participants will receive a t-shirt, poster & coin.
H1-2010-Final: These participants will receive an exclusive never been seen before swag.
Thank you,