June 13, 2021- 10:27 a.m.
If you think that hackers being inside your systems is a bad idea, that’s probably because you’ve been conditioned into equating hackers with criminals. However, the fact is that while plenty of cybercrimes do involve hacking, all hackers are not criminals and hacking itself is not a crime.
“Hacking just means to find a solution to a problem, and we already have a term for those doing this illegally: a cybercriminal,” Luke Tucker, vice-president of community at hacker-powered bug bounty platform HackerOne, says. “The reality is that hackers have a range of different motivations, from those setting out to illegally break into organizations or do harm, to others who are helping to do good.”
And doing good is what Amazon’s live hacking event that took place across ten days in March was all about. More than 50 hackers from nine different countries participated in the 10-day virtual event to identify vulnerabilities across some of Amazon’s core assets. The Amazon Vulnerability Research Program itself was launched back in April 2020 on HackerOne, but the virtual live hacking event took things to a whole other level.
$832,135 in bounties paid
HackerOne could not share details regarding the total number of vulnerabilities beyond stating that there was “safe mitigation of all reported issues.” However, a spokesperson did confirm that “the top performers in the live event took home in excess of $100,000 in bounties.” The final total for all bounties paid was a staggering $832,135.
I do know that the hacker who took top place on the vulnerability leaderboard, Jonathan Bouman, submitted a total of 23 valid vulnerability reports and earned 59 bounties in this, his first live hacking event with HackerOne.
Another hacker, who goes by the name of Derision, finished in second place with some of the highest earnings during the event because of the high-rated and critical nature of the 44 vulnerabilities they found, which led to 49 bounty payments.
According to HackerOne, 92.9% of all the payments made fell into the high and critical impact report category. Some of the kudos for this can be set firmly at the door of Amazon itself, which launched a momentum bonus for the event. This gave extra bounty payments for each valid, consecutive vulnerability report that matched that impact status.
Putting the broad Amazon attack surface to the test
“Bringing in external researchers allows us to extend the reach of our security teams to put our mechanisms and broad attack surface to the test,” Hao-Wei Chen, head of Amazon’s Vulnerability Research Program, said. With the insight from the security researchers taking part in the live hacking event, Chen said Amazon would be aided in building “a more robust and secure system and, ultimately, improve the experience for our customers.”
The relationships that were made during the hacking event provide some of the most significant value to emerge from it, according to HackerOne’s Tucker. “The shared experiences of a live hacking event always creates new and deeper relationships, and the Amazon security team was able to collaborate with both top hackers on their program and new talent. Security is stronger when we’re working together,” Tucker said.