h1-2010 Live Hacking Video Recap
Sam Spielman
How can we make this one different?
For organizations that operate in the digital space, there’s no such thing as business-as-usual anymore— which means that business-as-usual security can no longer suffice. So when HackerOne and Verizon Media came together to host a second virtual live hacking event, we knew we needed to think out of the box.
Live hacking events, both virtual and in-person, are about bringing people together. Connecting hackers not only with security teams, but also with the product and development teams directly impacted by vulnerability reports yields a richer understanding of security bugs. It leads to better fixes and a deeper connection with the hacker community. Hackers get a direct line to ask questions to both HackerOne and program teams, providing them with the ability to obtain more personalized insight into assets in scope. Perhaps most importantly, hackers and security leaders can connect with each other, fostering collaboration and continued learning.
In the virtual world, we couldn’t lose this powerful connection. We were determined to enhance it, not just replicate it, in a virtual environment. This goal raised questions in two key areas:
- Inclusivity — Would it be possible to open up an event to the world? At a time when security must be managed remotely, we have the unique opportunity to engage the naturally remote hacker community.
- Positive Security Impact — Live hacking events have a high bar for success. Some of the top hackers and emerging talent from across the globe come together under one roof to collaborate and compete. On average, we see approximately 65% of all bounties paid at live hacking events go to high and critical vulnerabilities. How could we achieve this with an event of global proportions?
On August 31st, HackerOne and The Paranoids, Verizon Media’s security team, announced a brand new event structure — the entire world was invited to hack! By September 18th, we had over 3,000 confirmed hackers registered to participate.
“Security leaders across the globe have been witness to unprecedented changes in the security landscape, the assets they defend, and the way they work,” said Sean Zadig, VP & CISO of Verizon Media on the decision to open H1-2010 to any hacker across the globe. “The way we did security 9 months ago will never exist again. Attack surfaces have changed for good, and partnering with HackerOne to convene the global hacker community would empower us to keep pace.”
The event was structured in three rounds:
1. H1-2010 Open: This first round of the event began on September 22nd with a kick-off ceremony on HackerOne’s Twitch. Anyone and everyone was invited to participate, and all registrants received an invitation to the event’s private program. Over 59 countries were represented, with 243 hackers submitting valid vulnerabilities. Of those, 12 submitted their first-ever bug and 97 submitted their first bug to Verizon Media. H1-2010 Open paid a total of $343,689 in bounties for 172 valid vulnerabilities found on *.yahoo.com.
2. H1-2010 Qualifier: The intended design for this second round was for 50 hackers to make the cut. However, we received so many great submissions that we accepted all 13 hackers tied for that final spot, moving 63 hackers on to the Qualifier round.
After a short break, these 63 remaining hackers focused on entirely new scope for the next 7 days. Throughout the round, 41 hackers from 15 countries earned bounties for finding 103 unique, valid vulnerabilities. $223,628 was paid to hackers for their research.
3. H1-2010 Final: After a month of hacking, breaks, interviews with top hackers, and Call of Duty game nights, the top 25 hackers moved on to the closing round.
Nearly half (11) of these top hackers had never participated in a live hacking event before this.
“The talent was palpable,” said Ben Sadeghipour, Head of Hacker Education at HackerOne. “With these results, it’s clear that virtual hacking events give companies the ability to engage with, educate, and learn from hackers they never would have collaborated with otherwise, even more than they could in a physical location. At the same time, hackers had the unique opportunity to meet new people, collaborate, and learn in their own time zone and at their own hacking set-up, creating partnerships and mentorships built to transcend global restrictions.”
Over the course of the final round, 7 remaining countries were represented with a total of $131,257 paid to 22 hackers for 92 unique, valid vulnerabilities.
Let’s add it all up, shall we?
H1-2010 as a whole paid a total of $702,039 in bounties across over a month of hacking against three different scopes. 367 unique, valid vulnerabilities were found. A total of 4,492 reputation points were gained by hackers, and hackers from 59 countries participated.
Now onto the moment we’ve all been waiting for, the H1-2010 winners!
Four hackers earned awards for each round for the following superlatives:
- The Exterminator – Best bug of the round
- 2nd Place – 2nd highest bounty total
- 1st Place – Highest bounty total
- Vigilante – Most Valuable Hacker of the round
In addition, Verizon Media issued a Hacker of the Day award for each day of hacking, culminating in an overall awards ceremony and additional awards for performance across the entirety of the event.
H1-2010 Open Award Winners
Verizon Media’s Hacker of the Day Winners:
H1-2010 Qualifier Award Winners
Verizon Media’s Hacker of the Day Winners:
H1-2010 Final Award Winners
Two of these hackers were participating in their very first live hacking event!
Verizon Media’s Hacker of the Day Winners:
To the top three hackers on the H1-2010 Final round leaderboard, congratulations on winning a Paranoids Bug Bounty World Champion Ring!
Overall H1-2010 Winners
The Exterminator award went to the hacker who submitted the best bug of the event, Mayonaise!
Mayonaise consistently brings the heat with any live hacking performance, and knows the Verizon Media attack surface like the back of his hand. Check out his interview with nahamsec and HackerOne triager chinchilla here!
The Best Collaboration award winners were selected based on criticality and quality of reports, strong collaboration, sharing tools and resources, and volunteering valuable time to help others. The award went to none other than Hussein and the Old Dads!
Made up of rez0, todayisnew, hogarth45, hussein98d, the_arch_angel, this team found its name as four out of the five members have young children. If you haven’t seen it yet, check out Gilbert Gottfried’s cameo and the friendly competition between this team and mayo!
For Most Valuable Hacker, the HackerOne team and The Paranoids looked for someone who showcased exemplary contributions to the community, delivered vulnerabilities of high criticality throughout the event, performed consistently well across all three rounds, and embraced collaboration. Congratulations to Chilean hacker, Roberto Álamos, for earning the H1-2010 MVH belt!
Roberto, better known as ralamosm online, demonstrated exemplary professionalism and thoroughness. Ralamosm consistently engaged in activities throughout the event and always looked for opportunities to collaborate with others in the hacking community via Slack.