Yahoo’s second live hacking event with Intigriti is just around the corner. Without giving too much away, this exciting event will bring together a select group of Intigriti’s security researchers to work on a specific scope set out by the team at Yahoo.
To get a feel for what’s to come, Intigriti sat down with Will Chilcutt, the Product Security Manager of Yahoo’s information security team—widely known as The Paranoids. Perfectly aligning with the broader ethical hacking community mantra, the Paranoids team describes themselves as “defenders of the things you love the most about Yahoo from cybersecurity threats.”
Now, without further ado, let’s meet Will!
Intigriti: Hi Will! Before we begin, can you introduce yourself and tell us more about your role at Yahoo?
Will: Hey everyone! I’m Will Chilcutt and I’m the manager of the team that runs Yahoo’s Bug Bounty program! For a little bit about my career trajectory, I was a mobile app engineer for about a decade before transitioning into being the lead on the Mobile Product Security program within the Paranoids (Yahoo’s awesome InfoSec organization!), and I am currently the manager of the Community Driven Security (CDS) team within the Product Security organization.
The CDS team’s goals center around embracing and empowering the external security researcher community as well as internal Yahoo engineers to build more security products for our customers. Beyond Bug Bounty, I also manage the teams that run our Security Champion program (which we call Deputy Paranoids), our Dynamic Analysis (DAST) program, our Insights program, and as well as our Product Security Life Cycle program!
Outside of work I am located right outside of Washington, DC where I live with my wonderful family. I try to automate as much as possible around the house, and when I do have some time to myself I enjoy jumping into a good game of Dungeons and Dragons!
Intigriti: Your live hacking event is very close. Can you tell us more about it?
Will: Sure! Our Bug Bounty team is really excited to get back to in-person events and our first return is in the beautiful port city of Antwerp, Belgium! The initial kick-off of the event was virtually on August 16th and then we will all come together on August 25th and 26th to hack in-person, followed up with an exciting day at Spa for the Formula One Belgian Grand Prix Qualifying event!
Intigriti: Wow! And how do the live hacking events impact your overall security efforts at Yahoo?
Will: Off the top of my head I can think of three different ways Live Hacking Events impact Yahoo’s overall security efforts:
The first would be the opportunity for our Bug Bounty team to build rapport with the hackers (and vice versa), with the intention of making interactions and communications in the future go smoothly.
Meeting and talking in-person can help give a better understanding on how each group thinks and operates. These interactions also help build loyalty to Yahoo’s Bug Bounty program. The hackers learn the real people behind the triaging and paying out of reports, seeing how passionate we are about making sure they have the best experience we can give them every time they submit a report to our program.
The second is giving engineers the ability to watch hackers in real-time try to find vulnerabilities on the products the engineers build on. It’s one thing to receive a Jira ticket after a bug bounty report has been triaged and you have to go fix the vulnerability. It’s another when you can walk up to that said security researcher and pick their brain. Knowing how potential adversaries may target their products in the future helps instill the need to build security in from the very conception before development even starts.
The third would be by enticing the security researchers with a) a fun scope, b) at an exciting, fun atmosphere, c) with some of the best hackers in the world and d) having a huge bounty pool to potentially make them a lot of money. If you can hit all of these checkboxes you will have the full attention of the hackers for days, sending in reports they probably wouldn’t have if they were just hacking from home on a normal day. By pointing the hackers at specific areas with our event’s scope, we hopefully either come away with exciting reports based on unexpected techniques or we walk away knowing that our team and the larger Paranoids organization is doing a great job protecting our customers.
Intigriti: How did you select the security researchers to participate in the event?
Will: This event is bringing together a wide variety of security researchers that were selected for numerous reasons. First, from our May virtual event earlier this year we gave three hackers Golden Tickets to the live event. From our private Elite program all current Elite members got invites as well as a few hackers who are loyal to our open program and consistently drop high severity bugs.
We then worked with Intigriti to bring together additional participants with certain skill sets relevant to the event’s scope. One of the main goals for this event is to also build out our European hacker community. We’ve been light in reports from the region for a while now and bringing together hackers across multiple European countries allows us to work with people of all different backgrounds and cultures.
As someone who leads a team of people from across the world and sees daily the huge benefit of varying outlooks, it just makes sense to do the same with the people that are helping Yahoo’s products be more secure.
Intigriti: What advice would you give to the rest of the community about how they can apply for future live hacking events with Yahoo?
Will: The best way is to earn a spot in our Elite program. Currently we update the Elite program every quarter, keeping the top 5 researchers within Elite and adding top 5 researchers from our Public program. You can learn more about our elite program over on the Paranoids blog.
Intigriti: What advice would you give other companies considering running a live hacking event?
Will: I’ll share two pieces of advice for anyone thinking about hosting a live hacking event:
The first is don’t be scared to try something different. Many companies and organizations are returning to in-person events and with only so many months in the year everyone is going to be competing to bring the top researchers to their events. Find something that sets your event apart from the rest, be it a unique scope, a new style of payout model, an exciting location, or a specific group of hackers. I love seeing people trying new things taking Bug Bounty to the next level. If you’re reading this and want to brainstorm about your event, please feel free to reach out to me!
My second piece of advice is to start planning for your event yesterday! At Yahoo, successful Live Hacking Events take many months of coordination amongst dozens of teams, and in this new age of things getting shut down or delayed, planning ahead is vital to make things happen on schedule. It’s better to be over-prepared ahead of schedule than to have to change plans at the last moment on your engineering teams and hackers, potentially souring the whole event.
Intigriti: What is the impact of having a triage team available on the day of a live hacking event?
Will: The expectation at a Live Hacking Event is quick turn around of reports and paying out for the reports. Without a triage team, you’re going to quickly run into a bottleneck of processing incoming reports. Any bottle neck in the process is going to lead to frustration for the hackers and they might be discouraged to continue hacking if their reports aren’t getting reviewed and paid out in a reasonable amount of time.
Having a triage team can help you focus on the exceptions and making sure the rest of the event runs smoothly. It’s a must have in almost every scenario!
Beyond the initial triaging we do when we first receive the reports, we also find it highly valuable to involve the engineers responsible for the products and features involved with the event, many times bringing them to the events to assist on-site. Having focused access to the engineers allows us to get the correct answers faster and move reports more quickly through the process.
Intigriti: How is Intigriti supporting you in ensuring the event is successful?
Will: We partnered with Intigriti for the first time with our May virtual event, but were simultaneously already planning for this August event in Belgium. The whole Intigriti team has been very professional throughout the entire process, making sure our goals for the event are met as well as ensuring the researchers we bring will have a memorable time while they are here! When we have needed to make changes, the Intigriti team worked with us to come up with multiple solutions. As a leader, I have confidence that whatever comes our way during the event we’re going to be ready to handle and solve!
Once again, the team can’t wait to touch down in Belgium and get back to in-person events, and we greatly appreciate the great partnership with Intigriti to make sure our first event back is a great success! I look forward to seeing all of our attendees in-person soon!
Intigriti: Thanks, Will. See you at the event!
Are you an Intigriti security researcher and wondering how to get an invite to future events, such as this one? We’ll be revealing some hints and tips from security researchers in the coming days for how you can improve your chances.
If you’re a security-driven organization with an interest in running your own live hacking event, get in touch! Intigriti has a wealth of experience running fun and impactful group hacking experiences in collaboration with clients. Start the conversation with one of Intigriti’s experts today!
About Will Chilcutt
Will is the Application Security, Bug Bounty Manager of The Paranoids, Yahoo. He is responsible for leading the following teams and programs within Yahoo’s Product Security organization, including Yahoo’s Infamous Bug Bounty team, the Security Champion Program aka Deputy Paranoids, and the Dynamic Analysis program.