After putting in-person live hacking events on hold due to social distancing regulations and travel restrictions, Yahoo made a ground-breaking comeback this month with their 1337UP0822 event. The global media and tech company combined forces with Intigriti to host their first in-person live hacking event in more than two years.
Today, we’re highlighting noteworthy performances from the participating hackers (also known as security researchers), and the influential impact of the event. Plus, if you’re a security researcher, discover how you can increase your chances of working on Yahoo’s live hacking events in the future.
Below you’ll find a video summarizing the event, but if you’re looking for more details keep scrolling for all the ins and outs of 1337UP0822!
The event was a significant milestone in the company’s 8-year program history, partly because most of the researchers they’ve engaged with so far have come from Southeast Asia, North America, and South America. As a result, Europe was largely untapped. However, Intigriti helped Yahoo turbocharge and accelerate the event’s success by expanding its researcher reach into Europe.
Will Chilcutt, a Product Security Manager within Yahoo’s information security team (The Paranoids), explained the importance of recruiting a diverse group of hacking talent:
“One of the main goals for this event was to also build out our European hacker community. We’ve been light in reports from the region for a while now and bringing together hackers across multiple European countries allows us to work with people of all different backgrounds and cultures. As someone who leads a team of people from across the world and sees daily the huge benefit of varying outlooks, it just makes sense to do the same with the people that are helping Yahoo’s products be more secure. ”
Further, while bug bounty programs offer endless benefits to cybersecurity teams, they require continuous community engagement to ensure success. With the help of a bug bounty platform, like Intigriti, live hacking events create the opportunity to maintain the attention of top-performing security researchers over the course of a few days. It also helps reach new communities of researchers with different points of view and untapped hacking abilities.
Yahoo chose to entice the security researchers with a fun scope, an exciting atmosphere with some of the best hackers in the world, and a hefty bounty pool! Here were some of the event’s highlights:
Together with Intigriti, Yahoo invited 40 security researchers to participate in the 1337UP0822 live hacking event. Speaking again to Will Chilcutt, he gave insights into how the security researchers were selected:
“First, from our May virtual event earlier this year, we gave three hackers Golden Tickets to the live event. From our private Elite program, all current Elite members got invites as well as a few hackers who are loyal to our open program and consistently drop high severity bugs. We then worked with Intigriti to bring together additional participants with certain skill sets relevant to the event’s scope.”
Hint! Interested in joining Yahoo’s Elite Bug Bounty Program? Check out their tips on improving your chance of claiming a spot on the Elite program.
The initial kick-off of the event took place on August 16th in a virtual environment. Then, Yahoo, Intigriti, and the selected security researchers came together on August 25th and 26th to hack under one roof. There were several awards (and prizes!) up for grabs, including:
Best performing hacker and team based on the live leaderboard (reward-based)
Most valuable hacker (chosen by the Paranoids)
Best Proof of Concept (POC) submitted
Most (valid) vulnerabilities found
Best vulnerability found.
Like Yahoo’s virtual event in May, where the target was the OWASP Core Rule Set (CRS), 1337UP0822 also focused on an open-source tool that protects Yahoo products and services. This time, the researchers targeted Yahoo’s open-source text engine tool, Vespa.
As described by the Paranoids: “In September 2017, Yahoo open-sourced Vespa. The tool decides what to show someone when they query local results, images, and answers to questions. Lightning-fast. Yahoo still uses Vespa in Mail and the main Yahoo search engine. And the tool handles more than 500,000 queries per second, serving nearly a billion users. The findings from this event will enable the Paranoids to further support that work.”
Other Yahoo products that were in scope for the hackers to test included Member Services, Arkime, Yahoo Mail, Techcrunch, and AOL.com.
Security researchers expect a quick turnaround of reports and payments at a live hacking event. To ensure maximum efficiency, Intigriti made sure to have its triage team on-site and ready to go!
Intigriti triagers analyzed live hacking submissions in real-time
Will Chilcutt explains the importance of having triage available during a live hacking event:
“Without a triage team, you’re going to quickly run into a bottleneck in processing incoming reports. Any blockage in the process will lead to frustration for the hackers—and they might be discouraged to continue hacking if their reports aren’t getting reviewed and paid out promptly. A triage team can help you focus on the exceptions and ensure the rest of the event runs smoothly. It’s a must-have in almost every scenario.”
Will also revealed that during the triage process, it is highly valuable to involve the engineers responsible for the products and features. For that reason, they too were present to assist on-site. Their presence meant reports could move faster through the process, and added to the overall atmosphere and momentum.
Top 25 hackers at Yahoo’s live hacking event, 1337UP0822.
After two days of intense live hacking, the researchers nervously waited to hear the results. Together, the group achieved a phenomenal result:
Total submissions: 218
Total bounty payouts: $240,000
Highest bounty paid out: $15,000
Hacker, putsi, came out at the top of the leaderboard, earning an exceptional streak (based on contribution and impact.) Of his 11 submissions, 10 were accepted. The leading team, self-titled as the “Swedish Injection!” and made up of hackers stok and p4fg, achieved 18 acceptions of their 24 submissions.
Most valuable hacker chosen by Yahoo
The Champ: putsi
Number 1 on the leaderboard (reward-based)
The Steward: putsi
Best PoC submitted
The Mechanic: stok
Most (valid) vulnerabilities found
The Veteran: blaklis_
Best vulnerability found
The Manufacturer: j0v
Number 1 team on the leaderboard (reward-based – average, divided by team members)
The Pit Crew: The Swedish Injection, made up of hackers stok and p4fg.
Honorable mentions
Amakki, Niemand_sec, unctrlcha0s, r4id_, x1m, kapytein, smsecurity, oct0pus7, cristi, m0chan
On Thursday evening, the team celebrated a hard day’s work the only way they know how: Another friendly competition! This time, they went go-karting.
The hackers also enjoyed some down time mid-way through Yahoo’s live hacking event.
And the fun didn’t end there. After the live hacking was over, the team followed up with a once-in-a-lifetime experience at the Formula One Belgian Grand Prix Qualifying event. For Intigriti’s Head of Hackers, Inti De Ceukelaire, this was one of the most exciting parts of the week:
“I felt shivers down my spine when I saw all the tired but satisfied hackers enjoying the Belgian Grand Prix Formula 1 event from the grandstand, after two intensive days of hacking. As a Belgian, I felt proud to host a group of so many talented people in our country and it was great to see that they were having a great time. After months of preparations with the Yahoo team, it was staggering to see the F1 and karting theme contribute to the vibe and atmosphere that resulted in a wave of newly engaged hackers for their bug bounty program.”
1337UP0822 summarized in one post by participating hacker, Joren Verheyen [Source: LinkedIn]
Midway through the event, Intigriti hosted a LinkedIn Live Q&A session with Sean Poris, Senior Director of Security at Yahoo. In this conversation, he explained some big lessons he’s learned over the years from running their program and gave advice to firms considering vulnerability disclosure. He also revealed that there are two key elements of any healthy program:
Clear rules of engagement (such as usable documentation)
Repeatable processes to ensure similar experiences across researcher reports.
If you didn’t catch the interview live, you can still watch it via the 40-minute recording on Intigriti’s YouTube channel.
Are you an Intigriti security researcher and wondering how to get an invite to future events such as this one? Check out some hints and tips from security researchers for how you can improve your chances in the future.
If you’re a security-driven organization with an interest in running your own live hacking event, get in touch! Intigriti has a wealth of experience running fun and impactful group hacking experiences in collaboration with clients. Start the conversation with one of Intigriti’s experts today!
