By Yannick Merckx
June 9, 2022
Live Hacking Events (LHEs) are something special for everyone involved. Unlike regular, continuous bug bounty programs, LHEs really focus the attention of a select group of outstanding researchers on a very limited scope with equally limited time. And while we have had some very successful remote LHEs, we are also really looking forward to being able to have events in person again. Meeting all the different people involved, really being able to shut out the outside world for just a day or two and fully focus on hacking is almost….magical! Check out this testimony from one of our earlier LHEs: https://blog.intigriti.com/2020/01/02/hacker-impression-my-first-live-hacking-event/
Good findings need to be rewarded – on past events, we literally made it rain!
And as much fun as it is for the researcher that get to participate, as much value it has for the companies hosting the event. Security teams are often left more than just convinced by the effectiveness of a LHE and some have been really open with their feedback: https://blog.intigriti.com/2021/12/16/vismas-mother-of-hackers-speaks-to-intigriti-about-running-a-successful-virtual-live-hacking-event/
Check out the scoreboard from our previous LHE:
But behind all of that is also hard, hard work. Often times the Intigriti team puts in long hours just to make sure that every participating researcher has all the support they need, submissions are being checked the very moment they come in and the company hosting the event gets the greatest possible value out of it. And so it is that with our release #36 we are delivering improvements on this end, making the process of handling Live Hacking Events easier and by that allowing to have more of them in the future (yaaay!)
Some concepts that we “featurized”:
Dupe Window
While in continuous programs the principle of “first come, first serve” applies, LHEs introduce the concept of a “dupe window”
Before any event, there’s usually already a period during which the scope is made available to the researchers (mostly two weeks)
Since there is such limited time, assets in scope sometimes get the attention from the community for the first time. Researchers tend to sometimes find the same issues independent from one another, submitting them within the same short period
Therefore, we need to be able to recognize submissions as equally valid even though they may be dupes of each other
Parent Feature
Of all the submissions that address the same item, one will be chosen to be the “parent”; for that we’ll usually choose the largest common denominator
But since no submission is ever exactly like any other, we also leave the ability to add additional rewards for those submissions that may have included additional findings
Reward Split
As we recognize all these different submissions during the dupe window as valid we also want to be fair with the reward for the submission and split it
This split works the same way as it would for collaboration with other researchers works by default, evenly distributed between all those with the same finding
Same as for the bounty, rep points are also awarded in equal proportions!
Great minds think alike
popular proverb
We’ve added our 2022 Ethical Hacker Report! We have already covered it here but you can now also find it under the “Resources” page of our website
At the same time, we’ve added some new customers to those that proudly use Intigriti and are represented on our website. Can you spot them all?
Last but not least, intigriti is growing and we have updated the stats on our website accordingly. We have now:
…registered more than 400 programs!
…welcomed more than 50,000 researchers!
…paid more than 5 Million Euro in bounties!
Make sure to check out the Ethical Hacker Report!
During May, the Intigriti team took a trip to beautiful and sunny Mallorca. That’s it! The only “fact” here is that this was awesome and “fun” is what we had 😉
Does the idea of working in a promising, flexible and fulfilling environment inspire you? Discover careers at Intigriti by visiting our careers page or following us on LinkedIn. We look forward to your application!
Submission retesting is here
October 23, 2024
Introducing read-only user roles
April 17, 2024