In June, sixty-one hackers from thirteen countries gathered (virtually) to hack digital payments platform PayPal as part of HackerOne’s latest virtual hacking event, h1-2006. Hackers disclosed over 100 unique vulnerabilities over the course of two weeks and earned over $770,000 in bounties, making h1-2006 the second highest paying live hacking event of all time (live or virtual).
While this was PayPal’s first foray into a live hacking event, the team is no stranger to bug bounties. PayPal has been working with hackers since 2012, constantly evolving their program to challenge the hacker community with new opportunities to earn. Along with a complex scope at h1-2006, PayPal introduced a bounty structure with an average bounty of $7,000 and highest bounty of $30k to reflect hackers’ time and effort hackers would be putting to poke holes in their already hardened attack surface.
“I’ve been hoping for a target like this for a while. One with a heavy focus on a particular web app and with recent and modern technologies,” shared hacker @fisher, leader of the live hacking team DISTURBANCE and hacking on PayPal for the first time. “It’s also a target I (and many of my teammates) had never hacked on, so being a fresh target with a new security team to work with, it was all very exciting.”
One of the luxuries of a virtual live hacking event is time. Without the stress and exhaustion of having to travel to a physical location, hackers have more time to spend hacking in the comfort of their own homes. In fact, participating hackers dedicated over 3,000 hours testing for vulnerabilities. Thank you hackers for your hard work and collaboration!
Live hacking events are a great way for companies to build relationships with the hacker community. In the past, these events have been an opportunity for the security team to meet the hackers in-person and work side by side.
For a complex target like PayPal, such an opportunity is beneficial for both parties. Hackers have the ability to discuss submitted reports and get clarity on the scope. In turn, the PayPal security team works even closer with hackers that have been hacking PayPal for years, while also building relationships with hackers that may be hacking PayPal for the first time. The opportunity allowed PayPal’s security team to strengthen the relationships they already have with the hacker community, while cultivating new ones.
“PayPal has spent years working with hackers to uncover vulnerabilities that ultimately make our products safer for our customers and partners,” said Ray Duran, Information Security Engineer at PayPal. “Over time, the hackers from our bug bounty program have become an extension of our team, and we are beyond grateful for their contributions. The virtual live hacking event with HackerOne gave us an opportunity to deepen existing relationships and cultivate new ones that not only improve our security, but also make the internet as a whole a safer place.”
Hacker Alex Birsan (@alexbirsan) shared, “For me, the ability to chat with the PayPal team, as well as with so many incredibly talented hackers who were focusing on the same target at the same time, was especially helpful in keeping me motivated, allowing me to dig deeper, collaborate, and find some awesome bugs.”
Celebrating the Winners
Hacker @alexbirsan who has awarded the Most Valuable Hacker award at h1-2006 shared, “Watching the awards ceremony, beer in hand, with my partner by my side cheering every time my name was said, was an absolutely special moment, and I’m sure the only way to make it even better would’ve been everyone being there in the same room.”
At the end of each event, we host a Show & Tell portion where a few selected hackers present a deep dive into an interesting bug they reported to the customer and fellow hackers. It is an opportunity for the community to learn from one another and celebrate their peers’ accomplishments.
When we asked hacker @fisher if he had advice for hackers doing bug bounties he shared,
“‘You do you’ is one of the best pieces of advice I can give to anyone doing bug bounties. Imposter syndrome is real, as is survivorship bias. The only person you should compare yourself to is you. Instead of being sad or upset that someone else got a big bounty, you should ask yourself ‘Am I better than I was than 6 months ago?’, ‘Have I learnt something new?’ or ‘Have I coded something new?’. There are a number of success metrics, getting big bounties is not the only one.”
Congratulations to all the hackers who participated! Thank you for your time and efforts. It is always great to see the excitement, camaraderie, and knowledge-sharing thrive in a virtual setting. The HackerOne Community Team is committed to providing the best experience to the community and customers who enable us to make the internet a safer place to be. With each event and CTF, we are giving hackers the chance to practice their skills and secure a portion of the internet. We feel privileged and honored to be a part of that journey. We hope to see you all in-person soon. Until then, happy hacking.