HackerOne, Verizon Media weigh pros and cons of making live hacking contests virtual
Among all the ways COVID-19 has affected the cybersecurity world, perhaps nothing is more impossible than live hacking events, which were once a staple of the industry.
The coronavirus forced bug bounty company HackerOne and Verizon Media into hosting two online hacking events together since the outbreak, and they recently completed what they billed as the world’s largest live hacking contest.
Live hacking events, whether virtual or in-person, give companies a chance to lure ethical hackers to find their security flaws before the attackers do, and can serve as recruiting opportunities for corporate positions, too. What made the most recent competition stand out was its massive size, and what the experiment could mean for the rest of the bug bounty community.
The HackerOne/Verizon Media duo wasn’t the first to move live hacking events online. Pwn2Own made a similar transition in March.
With more than 3,000 people from 59 countries registering for a three-phase, five-week, tournament-style competition, the benefits and downsides of switching from live, in-person hacking events with between 50 and 60 invitees ended up being related, the companies concluded. It was large, which meant it brought in many new participants, but because it was so big, it meant that it was a trying undertaking.
In some ways, the virtual competition also produced similar results to live hacking events. For instance, a normal event typically produces about 60% critical and high-severity vulnerabilities uncovered, and Luke Tucker, senior director of global hacker community for HackerOne, said he didn’t see anything “wildly out of the typical” on that front.
At least one outside expert, Katie Moussouris, said she didn’t know if a global live hacking event like the one HackerOne and Verizon Media hosted would be “particularly useful.” Verizon Media is weighing the huge effort that went into the event against what it got out of it, as the company considers whether it’s worth the effort to organize another contest.
One question going in, said Sean Poris, Verizon’s director of product security and assurance, was whether the same participants who won spots on prior top 25 lists at previous live events would maintain their standing against a pool of global competitors. What began as a hacking event focused on all of Yahoo’s properties before narrowing down — Verizon bought Yahoo in 2017 — produced 11 people in the final top 25 who never had participated in a live hacking event before, said Tucker.
Newcomers thrived in each round, too, Poris said, whether they were just from previously untapped hacker communities or first-time players.
“To have a live event in 2020, they were able to expose new people to new talent,” Tucker said. In all, hackers uncovered 367 unique, valid vulnerabilities with payouts totaling more than $700,000 over the course of September and October.
One of the hackers who ranked highly among those competing, John Colston, is a frequent participant in live hacking events, and concluded that he “absolutely loved the concept,” including the tiered approach.
“It was great to expose a lot of the unknown to me,” said Colston, who also said the online events make it easier to concentrate from a home office. “I don’t really have a good clear picture of the landscape of the hacker who are out there, and to have a competition that opened it up to the world, [I] really got to meet a lot of people.”
Moussouris, a bug bounty pioneer and a former chief policy officer for HackerOne who still holds stock in the company, said the public element of the competition is good because “it gets people excited about cybersecurity.” But she said it was probably not as helpful as HackerOne and Verizon Media thought, beyond generating headlines.
“They can be fun. There’s nothing wrong with them in and of themselves,” said Moussouris, now CEO of Luta Security. “It is the fact that you’re using them to convey a message of security maturity and due diligence.”
