HackerOne was started by hackers and security leaders who are driven by a passion to make the Internet safer. They partner with the global hacker community to surface the most relevant security issues before they can be exploited by criminals. HackerOne hosts live-hacking events around the world throughout the year. One of the largest of these, h1-702, takes place in Las Vegas—where elite hackers come together from across the globe to find bugs in participating companies’ products.
This year’s event was bigger and better than ever, and Okta was one of the five organizations selected to participate. Preparation for the hackers began three weeks prior to provide adequate time for building the required environment to test the multitude of features Okta offers. Other organizations subjecting themselves to live-hacking included GitHub and the US Marine Corps.
What’s it’s like to be live-hacked in Vegas
3:00pm: REX team staffed the war room — We got set up ready to work directly with white hat hackers to find as many potential issues as possible, and to reward them generously for their help.
5:00pm: 100 top hackers arrived to the Hacker Lounge — It’s not long before we started seeing submission numbers rise and hackers compete for a top spot on the leaderboard.
7:30pm Dinner! Finally — Everyone carb loads on pasta, steak, and fish while taking a break on the (now slightly cooler) rooftop pool deck.
8:30pm Hacking 101 Kicked Off — While the hackers were hard at work, HackerOne simultaneously hosted a ‘hacking 101’ for the burgeoning female hackers of Women in Security and Privacy (WISP) – focusing on ethical hacking taught by some of the best in the world.
11:00pm Hackers still hacking – and our (not pictured) War Room is still cranking.
11:55pm Only minutes to go – with $30,000+ in bounties paid out.
1:00am Show & Tell + Bonuses – We worked directly with hackers throughout the night to discuss our platform and validate leads on issues to accelerate the discovery process. This was our chance to give a shout-out for the best bugs – and give cash bonuses as a thank you to the top hackers.
We closed out the evening with just over $30K in bounties and $10K in bonuses for the h1-702 event. Overall, we were pleased with the vulnerabilities found and the validation that Okta’s REX team is working hard to keep our customer’s data secure.
A little background: How (and why) bug bounty programs work
Why did we invite a bunch of (white hat) hackers to take aim at Okta? Bug bounties are designed to reward individuals who find and responsibly disclose critical vulnerabilities in an organization. Whether they’re independent hackers, researchers, or something in between, those who participate in bug bounty programs represent a large pool of security talent from across the globe. In many cases, these are individuals organizations wouldn’t be able to hire full time even if they tried. They enjoy using their skills to find vulnerabilities in software and the bug bounty platform provides a way of compensating people for their time, effort, and skill. Leveraging the power of a global community, in addition to their internal resources, helps organizations scale to ensure their products and solutions have the most comprehensive review possible.
In 2015 Okta launched a private bug bounty program, and a year later we launched our public bug bounty program. We also posted some information about early considerations necessary to successfully implement a public bug bounty program, who you should involve in the process, and what you should think of as final deliberations and steps.
Proactive vulnerability discovery is key to market leadership
At Okta, we believe researcher participation plays an integral role in protecting our customers and their data. Security research teams look for tangential vulnerabilities to their core product; finding – and patching – issues before they become widespread. These teams are an integral part of the security community, exploring a variety of technology stacks to discover vulnerabilities and responsibly disclose these issues. Our own Okta REX (Research and Exploitation) Team, publishes topics ranging from Apple Bugs to Microsoft MFA Bypasses and Genetic Malware on our Security blog raising awareness in the community and working with vendors to responsibly disclose vulnerabilities. We also work with organizations like HackerOne and Bugcrowd to expand coverage of our internal attack team by augmenting with a bench of diverse capabilities through these platforms.
We encourage responsible disclosure of any vulnerability that may exist in our site or application. We are committed to working with security researchers to verify, address, and compensate for vulnerabilities responsibly reported to our team.