An overnight hackathon held by bug bounty platform YesWeHack saw researchers battle to earn a maximum of €10,000 (US $10,890).
The event, dubbed ‘Hack Me I’m Famous’, saw 40 bug bounty hunters compete to find vulnerabilities in French scale-ups or ‘unicorns’ (start-ups valued at more than $1 billion).
Held last week in Paris, France, researchers completed a total of 30 hours of bug hunting at the first annual event.
The contest spawned a total of 109 vulnerability reports, 30% of which were rated as either high or critical severity bugs, with one researching netting the maximum payout of €10,000.
Bug hunting
The most reported bug was improper access control followed by business logic error and thirdly, stored cross-site scripting (XSS) vulnerabilities.
Secure design issues were the most numerous category of bugs, accounting for almost half of all reports (41%), while access control issues made up 37% of submissions, and input issues accounted for 18%.
Security researcher ‘smaury’ came top of the leaderboard “at the very last second”, earning 70 points with a total of 19 reports.
They told The Daily Swig that the event was “kind of a rollercoaster” as the last bug they found was validated five seconds before the end, granting them first place.
The researcher said: “Unfortunately I can’t disclose much about the bugs I’ve found as most of them are still unpatched, in total there were more than 100 reported vulnerabilities so I expect the dev teams to be pretty rushed right now.
“The experience was great, every single detail was smooth with the logistics, moreover having the development team of the companies in the event let them and the researchers to talk and discuss about potential bugs, impact of the discovered ones, etc.
“I went there without much expectations because the previous week I was in Berlin to attend Nullcon and I didn’t spend a single minute before the event to look for bugs or get confident with the targets.
“But during the event I managed to be super focused (I was also fasting for Ramadan, so I had close to zero distractions) therefore I’ve found quite some bugs ranging from informative to high impact which allowed me to reserve the first place in the final scoreboard.”
A YesWeHack spokesperson told The Daily Swig: “This live bug bounty was an incredible opportunity to meet community members from all over Europe and to share a great moment of mutual support and sharing. Teams were formed during this event and hunted together, even if these hunters did not know each other before.
“At YesWeHack, we want to have a strong link with researchers, and we maintain this link, especially through events of all kinds, which motivates us to continue in this way.”
Source: https://portswigger.net/daily-swig/hack-me-im-famous-bug-bounty-hackathon-nets-security-researcher-10-000-overnight
