Group hacking is a collaborative and creative sport. Organize it as a live hacking event with in-person attendees and you’ll get incredible synergy. Security researchers really thrive when they come together to give their all testing assets and systems for cybersecurity vulnerabilities during a set period of time.
At Intigriti, we’re no strangers to these events, having helped enterprise organizations like Yahoo and Visma organize live hacking events. So, today we’ll give you the insider’s scoop on what you can expect from a group hacking event, as well as the reasons for running such a gathering. We’ll also share some pointers on how to get started organizing your own live hacking event.
Live hacking events usually share the following qualities:
A fixed duration: Anything from 24 hours to two weeks is common.
A physical event: Hackers and security professionals gather in person, though during the pandemic, the events shifted online.
A predefined scope: A set of assets defined as the target for the testing.
The event goal is almost always the same: Discover as many vulnerabilities as possible in the allotted time in order to provide rapid and useful security feedback on the assets targeted. The singular focus of the security testers on the scope during the event will often turn up difficult-to-discover vulnerabilities that are particularly valuable to the hosting organization.
For hackers, an event is a great way to test their skills and abilities against one another, and to earn bounties, kudos and reputation. Events also provide opportunities to build relationships and network within the security community.
Inti De Ceukelaire, Head of Hackers at Intigriti, explains the value of in-person hacking events:
You can team up over the internet, of course, but it’s totally not the same as what we see when we organize physical, live hacking events. You get this creative outburst that you’ve never seen before. That is the true power of live hacking events.
Ethical hackers are a diverse crowd spread out across the globe. Bringing them together requires significant organization and funding. That’s why live hacking events are regularly organized as joint ventures between large organizations and security companies.
For example, lately, Intigriti has helped organize events with Yahoo & Visma—two large companies that are big players in the bug bounty community. Having an expert security team on hand helps the event go smoothly, as Will Chilcutt, Product Security Manager of Yahoo’s information security team, explains:
The whole Intigriti team has been very professional throughout the entire process, making sure our goals for the event are met as well as ensuring the researchers we bring will have a memorable time while they are here!
Generally, the security researchers at an event have been invited by the event organizers based on previous performance, known skills, and geographic location. Some companies will also reserve a certain number of seats for new-blood applicants in the hope of diversifying talent.
Even the most open events typically require hackers to submit written applications outlining their motivations and experience, but it’s ultimately always up to the organizer who attends.
Alongside the hackers, security teams from the organizations running the event will also be present and might include programmers or IT managers who are stakeholders in the assets being tested.
If the event is a joint venture with a security company like Intigriti, their team will also be there to help organize the event and they may provide triage of submitted findings, among other things.
Live hacking events deliver a surprisingly diverse array of benefits for everyone involved. Let’s take a look.
Why would a company want to organize such an event? For the company hosting the event, three reasons stand out:
Focus and discovery: Organize a good event and you’ll get the full attention of a team of dedicated hackers for days. As a result, organizations can come away from a live hacking event with mission critical security reports based on unexpected techniques.
Networking: Internal Bug Bounty and Security teams can build rapport with hackers during events. This improves future interactions and communications for all involved.
Learning: Engineers can watch in real-time as hackers try to find vulnerabilities in the products they’ve built. Teams learn how potential adversaries may target their products, and why they should do development with a security-first attitude.
As Visma Security Engineer and Bug Bounty Program Manager, Ioana Piroska, recalls from Visma’s recent live hacking event:
In the two weeks of live hacking, Visma received 363 submissions and 251 were considered valid. The vulnerabilities reported included two exceptional, two critical, and two 0-days. The event gave us a fantastic opportunity to engage with our community, and the result was a set of impactful reports in a short amount of time.
Ethical hackers often work alone, spending long hours in front of their screens. A live hacking event can help freshen enthusiasm by getting them together with fellow hackers and building new relationships.
At live hacking events, security researchers can look forward to:
Dieogobernal, a hacker who traveled from Spain to the Yahoo 1337UP0822 event, explains why he accepted the invitation to take part:
You get to meet new people and put faces to the names of the people you already knew before. From collaborating with other hackers, you can also get new ideas on how to find bugs that you may never have thought of. That feeling is great—and the bounties are a nice extra!
If you’re interested in organizing your own live hacking event, here are some tips to help you get started.
Try a unique scope, a new style of payout model, an exciting location, or a specific group of hackers. Something that increases engagement and, ultimately, findings.
When asked which part of the event they enjoyed most, Oct0pus7, a hacker who had traveled from Mexico, answered:
I enjoyed being with the other hackers at the event a lot. These hackers are some of the best out there. You get to share with them your skills and they’ll share theirs too. Other than this, the go-karting race was a lot of fun too!
“It’s better to be over-prepared ahead of schedule,” Will Chilcutt says, “than to have to change plans at the last moment on your engineering teams and hackers, potentially souring the whole event.” Organizing an event can take many months, so make sure you give yourself ample time!
This is essential to maximizing the focus of so many skilled minds all in one location at one time. Visma Security Engineer and Bug Bounty Program Manager, Ioana Piroska, explains one successful approach:
We decided to take the opportunity to retest some of our most valuable and mature assets, which were already part of our bug bounty programs. These were the so-called “hard targets” because usually in a bug bounty program, most of the attention is focused on the new targets. Since we continuously add new features for our applications, we decided to pick the most experienced teams and some of the most important assets for Visma and retest them.
And if, for whatever reason, you find the prospect of organizing a physical, in-person event too daunting, virtual live hacking events can also be highly effective. Visma’s Ioana Piroska again:
[The event] was two weeks of live hacking, amazing reports, and great fun! But also, most importantly, Visma’s assets became more secure as a direct result of the virtual event.
If you’re ready to take the plunge and organize a live hacking event, Intigriti can help you get started. Contact us today to learn more about our group hacking partnerships. We can help you plan, execute, and scope your entire event.
Our most recent hacking event was with Visma e-conomic, which you can read more about in this blog.
Or check out this short video about our live hacking events.
