Q: Tell us about your role at Snap and why cybersecurity is vital to your business.

Jim Higgins: I’m Snap's Chief Information Security Officer (CISO). Before joining Snap, I served as CISO at Square and spent over a decade at Google leading their Product Security Information Engineering team. At Snap, we support nearly a half a billion daily active users who use Snapchat every day on average. Keeping our customers safe from the ever-evolving landscape of unknown threats is a deeply personal mission for me.

Q: What does reaching the $1M milestone mean for Snap’s security team?

Jim Higgins: Hitting $1M in bounties is a badge of honor. It reflects our commitment to valuing the intelligent security researchers who help keep us safe. Bug bounty programs are notoriously difficult to build, but HackerOne’s talented community provides us with the expertise and creativity we need to secure our platform.

Q: How has your bug bounty program evolved over the past 10 years?

Vinay Prabhushankar: When we started, our program was more operational and focused on identifying and fixing individual issues. As we matured, we shifted to a strategic approach, identifying systemic problems and building frameworks to resolve them. For instance, our 2025 roadmap includes initiatives that stem directly from vulnerabilities identified through HackerOne. Today, our program influences security, privacy, and safety strategies.

Q: Are there any memorable milestones or moments you’re especially proud of?

Vinay Prabhushankar: Beyond the $1M milestone, we launched one of the first CTF-style challenges focused on the safety of generative AI features.

Q: How has AI Red Teaming influenced Snap’s approach to security?

Ilana Arbisser: We use AI Red Teaming to determine qualitative safety aspects – what’s possible, not necessarily what’s likely. We’re also constantly surprised by what’s possible– we try to keep an open mind while designing exercises. The benefit of working with HackerOne is that human ingenuity is more effective than consistently using adversarial prompt datasets or LLM written attacks. The impact of the AI Red Teaming on our products has been to identify specific safety vulnerabilities and guide the addition of specific mitigations.

Q: Where do you see AI Red Teaming heading in the future?

Ilana Arbisser: Simulated AI red teaming with LLM agents is improving significantly. This approach, when complimented by AI expert-driven testing by humans, is also more useful for getting quantitative results because attacks can be scaled to understand better how small input changes affect output.

Q: With new AI tools constantly emerging, how does your team stay ahead of these technological advancements?

Ilana Arbisser: To keep pace with advancements, we rely on a combination of strategies. This includes staying informed through news and industry sources, attending AI networking and information-sharing events and conferences, and participating in industry-specific gatherings like the Defcon AI Village.

Q: What sets HackerOne apart as a partner?

Jim Higgins: HackerOne’s community is second to none. Over the past decade, they’ve built an ecosystem that values customer and researcher feedback. Their pace of innovation, particularly in AI features, has been impressive. For instance, we were able to use HackerOne’s GenAI copilot, Hai, to translate submissions in 7 different EU languages when we did a private challenge hackathon around Election Safety around our MyAI chatbot.

Beyond technology, the support we’ve received has been phenomenal. HackerOne doesn’t just get us; they get security researchers. It’s like having a trusted partner who’s always in your corner.

Q: What findings is the team most interested in surfacing? What types of bugs are most valuable to Snap?

Jim Higgins: At Snap, we prioritize security and privacy. Protecting sensitive user information is at the core of everything we do. Snap’s team is particularly interested in vulnerabilities that could compromise the integrity of its platform, such as remote code execution (RCE) or privilege escalation. We encourage security researchers to focus their efforts on these critical issues.

Q: What lessons has Snap learned from its bug bounty program?

Vinay Prabhushankar:

1. Fix low and medium bugs: These might seem minor, but when chained together, they can lead to critical vulnerabilities. Fixing them breaks the chain.
2. Build trust with security researchers: Trust takes time but pays dividends in high-quality submissions.
3. Gamify your program: Elements like challenges, swag, and live hacking events encourage creativity and engagement.

Q: What advice would you give companies starting a bug bounty program?

Jim Higgins: Start small with a private program, then expand the scope as you grow. Treat researchers as trusted allies—they’re like an extension of your team. We even have an internal guide on engaging with researchers, which includes concrete examples of dos and don’ts.

Q: What’s next for Snap’s bug bounty program?

Jim Higgins: We plan to expand our scope to include hardware products like AR glasses and double down on AI security. HackerOne AI Red Teaming has proven invaluable, and we’re eager to deepen our collaboration with HackerOne’s community. Our ultimate goal is to make Snap’s bug bounty program a model for others to follow and strengthen the security of our users. 

At Snap, security is more than a priority—it’s a core mission. Over the past decade, Snap has partnered with HackerOne to build and sustain a robust bug bounty program. This collaboration has led to major milestones, including paying security researchers over $1M in bounties. To celebrate this achievement and their 10-year partnership, we spoke with Jim Higgins, Snap's Chief Information Security Officer, Vinay Prabhushankar, Snap’s Security Engineering Manager, and Ilana Arbisser, Snap’s Privacy Engineer. Together, they reflect on how this partnership has shaped Snap’s security, privacy, and innovation approach.

Meet HackerOne Recommendations: a built-in intelligence layer that continuously refines your security program, delivering personalized insights and your program's historical performance.

Eliminate Guesswork With Contextual, High-value Suggestions

With HackerOne Recommendations, you don’t need to manually sift through reports or guess which actions will impact your programs most. This automated intelligence layer continuously evaluates your security program’s performance and delivers personalized, high-value recommendations—right inside your HackerOne Home Page.

Recommendations aren’t just a generic list of tasks—they are risk-driven, context-aware, and backed by real attack intelligence based on HackerOne’s comprehensive database, which comprises over 500,000 valid vulnerabilities reported across industries.

Every month, HackerOne assesses 20 trigger conditions within your program, with a continually growing set of factors that enhance its intelligence over time. As data expands, so does the system’s ability to surface even more precise, high-impact suggestions, designed to:

• Optimize vulnerability response times by identifying bottlenecks and delays in triage workflows
• Maximize hacker engagement by analyzing payout structures, report resolution speed, and incentive alignment
• Reduce critical security gaps by identifying trends in missed, delayed, or incorrectly prioritized vulnerabilities
• Benchmark your program’s efficiency against industry peers and top performers

How HackerOne Recommendations Work 

HackerOne Recommendations are updated at the first of each month, delivering clear, actionable improvements tailored to your security program. Each recommendation includes:

• A defined action plan with specific steps to improve your program
• Supporting data and metrics to justify and quantify the impact
• Guidance on implementation, whether through direct action or with assistance from your HackerOne Account Manager or Customer Success Manager

Accessing Recommendations

Recommendations are available in the Recommendations section of your HackerOne Home Page, providing an at-a-glance view of key security improvement opportunities.

• Take Action – Select a recommendation to view detailed insights, context, and next steps.
• Review All – See a consolidated list of all active recommendations for your program.

Expanded View for In-depth Analysis

Each recommendation includes a structured breakdown for clarity and ease of implementation:

• Left-hand pane – View all recommendations applicable to your program.
• Right-hand pane – See detailed insights, including supporting data and suggested actions.
• Actionable steps – Choose specific actions to address security gaps.

Customization and Feedback

• Dismiss if not relevant – Click the Dismiss button up top to remove a recommendation from your view for 90 days.
• Provide feedback – Use thumbs-up/down ratings on individual recommendations to refine future recommendations and ensure relevance.

Enhance Program Performance With Data-driven Intelligence

HackerOne Recommendations is now available to all Bounty customers at no additional cost. Built on real-world security data, it eliminates guesswork by delivering actionable, high-impact insights—not generic alerts.

Start leveraging the industry’s most comprehensive vulnerability dataset to drive measurable security improvements. Start using HackerOne Recommendations today by connecting with our experts or exploring the HackerOne Platform. 

Security teams deal with an overwhelming volume of reports, alerts, and vulnerability data—but without the right prioritization, it's easy to waste time on low-impact issues while critical risks go unnoticed. Static benchmarks don't adapt to real-world threats, and manual analysis is too slow to keep up with the evolving attack landscape.

What if your security program could self-optimize: analyze trends, identify weak points, and proactively propose actionable steps to strengthen defenses?

Facing the Reality: Cybersecurity’s Mounting Pressures

The cybersecurity landscape is evolving at an unprecedented pace. This past year, breaches resulting from exploited vulnerabilities grew 180%, and at HackerOne, we’ve seen a 12% jump in vulnerability reports across our customer programs. Attack surfaces continue to expand, with AI systems as the new frontier and increasingly interconnected systems. Threat actors are growing in number, and boldness and attack techniques increasing in sophistication. And, as the headlines remind us all too often, breaches are not just a possibility but a probability.

It's natural to feel hopeless in the face of these developments. But within these challenges lies an opportunity to build something stronger than ever before.

Finding Opportunity in Adversity

Every challenge we face brings with it a silver lining: an opportunity to innovate, collaborate, and grow stronger. Over the past year, we've witnessed the transformative power of resilience. Organizations are increasingly adopting proactive security measures and leveraging cutting-edge tools like AI to detect and respond to threats faster than ever before. At the same time, crowdsourced cybersecurity programs are gaining momentum, demonstrating greater adoption and effectiveness. In fact, more than one-quarter of valid vulnerabilities found through HackerOne programs are rated as critical or high severity. This highlights the value of collaboration with security researchers—helping organizations uncover and address vulnerabilities before they escalate into crises. 

This year, I encourage you to consider how these opportunities can apply to your organization. Where is there potential for you to be more proactive in your security strategy? Which solutions and partnerships offer the highest return in strengthening your security posture? And perhaps most importantly, how do you, as a leader, reframe adversity as a catalyst for progress?

The AI-Human Alliance in Cybersecurity

At the heart of modern cybersecurity strategies lies the powerful synergy between human ingenuity and cutting-edge technology. While tools like AI have revolutionized how we identify and address vulnerabilities, their effectiveness hinges on the expertise and guidance of the people behind them. Your teams—the analysts, engineers, and researchers working tirelessly to defend against threats—are, without a doubt, your greatest asset. Equally invaluable are your partners, whether they be vendors, security researchers, or other collaborators who bring diverse perspectives and specialized knowledge to the table.

This blend of AI-driven efficiency and human insight is essential for staying ahead of increasingly sophisticated adversaries. It empowers us to adapt, innovate, and uncover even the most elusive vulnerabilities before they become threats. With AI, we can process vast amounts of data at speeds that would be impossible for humans alone, spotting patterns and anomalies that might otherwise go unnoticed. However, it is human expertise that ensures these tools are applied strategically, interpreting complex data in context and making nuanced decisions that automated systems alone can't achieve. Together, they form an agile and responsive defense system capable of outpacing the evolving tactics of cybercriminals.

A prime example of this approach in action is Amazon and AWS, who have been leveraging this combination in their security program with HackerOne for over eight years. In that time, they’ve received over 9,000 valid reports and paid over $30 million in rewards and bonuses to 6,000 security researchers. Each report from a researcher helps Amazon raise the bar on security, providing unique perspectives on their entire landscape and uncovering vulnerabilities that might otherwise go unnoticed. This partnership exemplifies how human ingenuity, paired with the right platform, can transform how organizations tackle cybersecurity challenges. You can hear more in this short video. 

As you look to 2025, I encourage you to assess the talent and technology powering your charter. Build a culture that empowers your teams to leverage AI-powered capabilities while recognizing where human insight remains essential. Foster trust and resilience, and seek out new perspectives and partnerships. Sometimes the best solutions come from unexpected places.

Let’s Build a Resilient Future Together

In 2025, let’s shift the narrative. Instead of focusing on what we’re fighting against, let’s focus on what we’re building together: a more secure, more resilient digital world. Let’s embrace the tools and partnerships that empower us to stay ahead of threats. Let’s champion a mindset where security is seen not as a burden but as an enabler of innovation and trust.

At HackerOne, we’re committed to being your ally in this fight. We believe that no challenge is insurmountable when we work together and we’re here to support you every step of the way.

Closing Thoughts

To every CISO reading this: I see the challenges you face and the incredible work you do to overcome them. The road ahead won’t be easy, but we can navigate it together. You are not alone in this fight to build a safer internet. With the right mindset, tools, and partnerships, 2025 can be a year of meaningful progress for cybersecurity.

Here’s to a new year of resilience, innovation, and hope.

As we settle into 2025, I want to take a moment to reflect on the state of cybersecurity—not just as an industry but as a shared mission. For CISOs, the stakes have never been higher. Protecting your organizations against increasingly sophisticated adversaries, managing constrained budgets, and ensuring business continuity in an unpredictable world—it’s a daunting charter, and it can feel isolating. But I’m here to remind you: You are not alone.

Expanding Our Bug Bounty Program

At Lightspark, we’ve always been focused on security that meets and exceeds industry standards. We’ve been partnering with HackerOne, the global leader in ethical hacking and human-powered security, on our bug bounty program. Today we’re announcing that we’re ramping up the scale of this reporting and sharing our bug bounty program publicly. We’ve already invited a few security researchers and white hat hackers to pressure test our offerings and collect bug reports - which has been so useful - but now we are formalizing our approach. 

Details on the Program

Our rewards are based on severity. Hackers reporting vulnerabilities will receive the following payout levels (at Lightspark’s discretion), based on the tier of the vulnerability: 

• Low - $150
• Medium - $750
• High - $2000
• Critical - $5000

Hackers can report bugs on any facet of Lightspark, whether it’s our APIs, open source software, or website. We’re committed to meeting our response targets for hackers participating in our program, and we’ll keep everyone informed about our progress.

We help our customers deliver Internet payments at scale and improve the financial system for everyone. Our customers rely on us to provide secure, enterprise-grade Lightning payment services. This update to our expanded bug bounty program demonstrates the importance of and our commitment to security in our services.

We’re excited to work with the community and are looking forward to feedback. For more details on the Lightspark Bug Bounty Program, please visit hackerone.com/lightspark_bbp.

We're excited to announce the public launch of Lightspark's Bug Bounty Program on the HackerOne platform! Lightspark has been working with HackerOne to ensure the highest standards of security and responsible disclosure, and today, we're taking a major step forward by opening the program to the global researcher community. Read the message below to learn more about Lightspark's program details and how you can help keep Lightspark secure!

In a privilege escalation attack, an attacker gains elevated rights, permissions, or entitlements beyond the intended level associated with their identity, account, or device. Systems are vulnerable to such attacks due to several factors, including bugs, human error, misconfigurations, system flaws, and inadequate access controls. There are two main types of privilege escalation:

1. Vertical privilege escalation: This occurs when an attacker elevates their privileges, such as a regular user gaining administrative rights or root-level access.
2. Horizontal privilege escalation: This occurs when an attacker maintains the same or similar level of privileges but in the context of a different user or account.

Almost every multi-account application takes a defense-in-depth approach to access control. Due to this layered security posture, according to the 8th Annual Hacker-Powered Security Report, the platform average for reported privilege escalation vulnerabilities only accounts for 2% of submissions. This low rate can be partially attributed to bug bounty program rules that require testing to cease after initial compromise. Additionally, privilege escalation is a broad category, and the exploitation of other vulnerability classes can result in an attacker acquiring elevated privileges.

However, when these attacks do occur, the consequences can be severe. If the vulnerability is systemic or an attacker obtains high-level privileges, they could compromise every account. Privilege escalation vulnerabilities can also allow attackers to bypass paywalls, such as in cases where subscription tiers are elevated. In extreme cases, attackers can completely hijack devices with the installation of malware or backdoors.

Even with the wide variety of defensive controls that mitigate the risk of privilege escalation attacks, exploitation still poses a constant threat that must receive the proper attention to detail to effectively counteract—as oversights in implementation can provide the exact attack vector needed.

Authentication

Authentication checks if a user is who they claim to be based on submitted identification parameters. 2% of all reports submitted to HackerOne were for improper authentication vulnerabilities, according to the Hacker-Powered Security Report.

Arguably the easiest way to gain a higher privilege level is via the exploitation of authentication processes.

There are numerous vulnerabilities that can be used to take over an account, such as:

• The use of weak or default credentials can provide an easy means of assuming a privileged identity.
   
• A lack of rate limiting can allow for an indefinite number of login requests to be sent until valid credentials or one-time-passwords (OTPs) are found.
   
• Multi-step authentication processes can contain business logic flaws, allowing critical steps to be skipped, such as the point at which a multi-factor authentication (MFA) token is provided.
   
• Attacks such as SQL injection can result in entire databases of valid credentials being leaked.
   
• Password reset functionality can also be flawed. For example, the same token can be issued to multiple requests if they are generated based on time or are sourced from a premade pool of valid ones.
   
• Validation processes can also be flawed. For example, a token may only be evaluated and used to protect a sensitive function if it is received by the server. In this scenario, simply excluding the token altogether may allow the access control to be bypassed, leaving the function exposed to unauthorized execution. Security issues can also arise in cases where tokens can be reused across different requests or areas of the application.

Regardless of the vulnerability, authentication exploits have the same end result – an attacker gaining direct access to a compromised account.

Role-Based Access Control

Role-based access control (RBAC) is a security measure that allows administrators to define which types of users are authorized to access specific resources or perform certain actions. The "roles" in RBAC refer to the set of assigned privileges granted to users. These roles can be assigned per individual user or to a specific group of users.

While RBAC provides a significant line of defense, there is no one-size-fits-all solution. Those responsible for defining roles must have a deep understanding of what certain users should be capable of. Without this awareness, roles may be overly permissive. Role definitions can even be influenced by user frustration and complaints. If a certain functionality is too restrictive, the security configurations protecting it may be relaxed to avoid friction or pain points.

Additionally, vulnerabilities can exist in how a user's role is determined:

• Roles determined based on a client-side parameter such as a header can be arbitrarily changed.
   
• Hidden fields that rely on security-through-obscurity can also be discovered, which can lead to mass assignment attacks that result in privilege escalation.
   
• Weak obfuscation techniques, such as masking an access token with a common encoding conversion or the use of cryptographically insecure algorithms, can expose embedded values that determine a user's role. Simple match-and-replace rules or reverse-engineering techniques could then be used to provide the desired value in place of the assigned one.

In a worst-case scenario, RBAC could be missing from an asset or endpoint entirely, allowing unrestricted access or function calls.

Reports of improper access control vulnerabilities represent 9% of all submissions to the HackerOne platform.

The Principle of Least Privilege

The principle of least privilege (PoLP) goes hand-in-hand with RBAC and is a security concept that advocates the idea that users and connected systems should only be given the permissions that are absolutely necessary – nothing more, nothing less. As an example, a user should only be able to access files belonging to them, while a manager who needs access to files across multiple users should be restricted to files within their team or those they are responsible for. If an attacker is able to access the files of other users, the application is vulnerable to insecure direct object reference, which accounts for 6% of all submitted reports.

However, in cloud environments, many privileges and actions are granted by default, and it takes explicit configuration to revoke them. These default capabilities apply to both user roles and cloud resources such as virtual machines. Without making changes tailored to the organization, privilege escalation attacks could result in bypassing network partitions or low-level users performing critical operations.

The Exploit

On June 27th, 2021, security researcher @stapia submitted a report describing a privilege escalation vulnerability they discovered on https://stocky.shopifyapps.com/. By sending a request directly to the /users/create_admin endpoint, a non-privileged user could create and login to an administrative account.

Steps to Reproduce

1. A non-privileged user account was created.

2. Once authenticated under this account, navigating to the /users/me endpoint would produce a request containing cookies and an authenticity token that were also compatible with the vulnerable endpoint.

3. This request was intercepted, the request line was changed to POST /users/create_admin HTTP/2, and the following body data was included:

4. Forwarding this request resulted in the successful creation of an administrator account. With administrative privileges, a user could update the inventory, stock, vendors, place purchase orders, etc., in the context of the organization's Shopify account.

Protecting Against Privilege Escalation Attacks

In this example, Shopify issued a token that was valid across multiple endpoints. Had they scoped the token to be endpoint-specific, its use would not have been accepted for the /users/create_admin endpoint.

Generally speaking, privilege escalation attacks are the result of various security failures. It is vital to take a layered approach to defense and ensure proper implementation and configuration of the measures taken:

• Any generated tokens should be specifically scoped, use reliably secure obfuscation techniques, and be single-use.
• Follow basic password management practices, such as enforcing password strength and the use of MFA.
• Fully vet the authentication process for any weaknesses that allow an unreasonable amount of login attempts to be made.
• Sanitize and validate user input to defend against injection attacks.
• Perform a thorough review of the permissions assigned to roles at regular intervals, with updates made anytime changes are made to the application.
• Revoke roles for inactive users or groups to reduce the overall number of accounts that could be used as attack vectors.
• Permissions must be properly validated for every request, regardless of where the request originates from.

Conclusion

The efforts of @stapia resulted in a bounty of $1,600, and the Shopify team deployed a fix for the issue on August 25, 2021. When testing on programs, make sure to analyze the application for the security flaws discussed that could lead to an escalation of privileges.

See further examples of reports involving privilege escalation here.

This report highlights the importance of securing against privilege escalation attacks, especially in applications such as Shopify that deal with e-commerce environments and tools. Had a malicious attacker discovered this vulnerability before it was responsibly reported, the financial losses could have been substantial. With the power of crowdsourced security provided by HackerOne, this vulnerability was remedied quickly, and the safety of Shopify's user base was improved.

Every time you access an application that is designed for use with multiple accounts, you inherit a certain level of privileges. This level can vary significantly. In an unauthenticated state, you may have no sensitive privileges, but as an administrator or manager, you can access all resources and functionality.

Since then, we’ve grown the program, collaborated with HackerOne, and built partnerships within the bug bounty community. The valuable insights we’ve gained from security researchers all over the world have helped us bolster security for Wells Fargo’s assets.

Now we’re ready to take the next big step: launching the Wells Fargo public bug bounty program. We hope you’ll help us on this journey to continue to evolve and sustain a secure environment for our customers.

Our program will focus on our heavily trafficked external-facing applications. If you’re ready to get involved, check out our HackerOne program policy for details on the scope.

Proactively Safeguarding Wells Fargo Customers

Wells Fargo takes its security responsibility seriously. Our Cybersecurity team triages potential security vulnerabilities identified by the HackerOne community, assesses the impact, and focuses on rapidly remediating findings to safeguard our customers and their data.

Should you choose to participate in our program, you can expect, where appropriate, to be kept informed as findings are validated, impacts are assessed, and fixes are implemented. We’re excited to dive deeper into the bug bounty pool as we continue to give our customers the protection they deserve.

Visit the Wells Fargo public bug bounty program.

At Wells Fargo, we make protecting our customers’ accounts and information a priority, and we’re committed to enhancing our cybersecurity measures to give our customers the protection they deserve. To help us stay ahead of emerging threats, in 2019 we tapped into the HackerOne community with a responsible disclosure program, then upgraded to our private bug bounty program in 2021.

Q: Why did Deribit launch a bug bounty program?

A: I like to view security as an onion where each additional layer provides additional protection to the core. The risk of getting hacked is a function of the target attractiveness (based on possible gains) and the number of security layers. The more security layers you add, the better your core is protected and the lower your risk.

By launching a bug bounty program, we added another security layer to secure our clients’ assets.

Q: In the crypto space, security is often associated with trust. How does Deribit ensure that its bug bounty program strengthens trust with its users?

A: In crypto, we say, “don’t trust, verify.” Deribit implements security best practices and complies with ISO 27001 and SOC 2 Type 2 controls. We run pentests and red team exercises both on a regular basis and before launching new features. The bug bounty program adds another layer of security review and offers a legal route and financial rewards to anyone discovering a bug in Deribit.

Q: Why did Deribit choose HackerOne to manage its program?

A: You are only as secure as your weakest link. HackerOne has the largest community of security researchers, all with different skill sets, experience, and expertise, ensuring complete coverage of our assets so that no area is overlooked. Additionally, since its inception, Deribit has advocated for cryptocurrencies and the power and freedom they enable. HackerOne is one of the rare platforms that offers security researchers the possibility of receiving payments in crypto, which aligns with our values.

Q: Have you had any memorable interactions with security researchers to date? Favorite bugs?

A: A few years ago, a security researcher reported a bug anonymously and never claimed the ticket. We invested the time to track him down so that we could reward him. We want security researchers to hunt on our program, and we want to reward them handsomely for it!

Q: With the rapid evolution of blockchain technology, what unique security challenges does Deribit face, and how does the bug bounty program help address them?

A: Blockchain and crypto are secular and rapidly evolving industries, and most of the products have not yet stood the test of time. To make matters worse, the amount of money and the irreversibility of transactions make crypto companies a very attractive target to malicious individuals and APT (advanced persistent threat) groups. The bug bounty program helps us find vulnerabilities before malicious actors and constantly trains our security team to detect and respond to potential threats.

Q: Anything to say directly to the security researcher community?

A: Deribit has had a bug bounty program for 6 years already. We started as a self-hosted program and then turned to a managed program (first on Bugcrowd and now on HackerOne). This dedication to evolving our bug bounty program shows how valuable security researchers have been in securing the exchange. We have loved the journey; meeting new people, talking payloads, and learning novel attack techniques. We’re so grateful to the security researchers who have reported issues through our bug bounty program. Keep on hacking!

With billions in crypto assets on the line, Deribit—the largest Bitcoin and Ethereum options exchange—knows the cost of a single security flaw could be devastating. Over the past six years, the company has integrated a HackerOne-managed bug bounty program into its layered defenses to stay ahead of threats, including sophisticated, state-sponsored attacks. We caught up with Xavier Bruni, Application Security Engineer at Deribit, to explore how this proactive approach enhances its security strategy and keeps customer trust intact in a high-risk environment.

Customers who take part in the Ambassador World Cup get dedicated focus from highly motivated and expert teams of hackers. Last year, hackers reported 800+ valid vulnerabilities across 12 customers, 26% of which were high or critical. 

Who Is Taking Part?

Six customers have already signed up for the 2024 Ambassador World Cup. There are still some open spots available for this year's World Cup — talk to your Customer Success Manager for more information!

Speaking about their involvement last year, Mercado Libre said: 

"Connecting with hackers from continents outside of LATAM was very valuable for us, as it provides us with a different perspective from individuals interacting with our applications for the first time, resulting in a very high technical level of vulnerabilities."
— Alex Atehortua, Bug Bounty Program Leader, Mercado Libre

The hacking teams themselves are spearheaded by HackerOne Brand Ambassadors, top hackers in their region who unite the strongest members of their hacker communities to compete in regional teams from around the world. 

The winning team last year was from Spain, headed up by Brand Ambassadors Carlos, aka hipotermia, and Diego, a.k.a @djurado. As Brand Ambassadors, they are responsible for recruiting local hackers and those interested in hacking into Spain’s Brand Ambassador club, coordinating with programs to create hacking events, and building the team that will represent Spain in the Ambassador World Cup. 

“We believe that the success of our team is due to the wide variety of profiles we have, which allows us to have different approaches while testing. On the other hand, we have had a lot of collaboration between Spanish hackers and a great participation from 60-70% of our team members and even members who do not participate on a regular basis have joined this AWC edition with an outstanding contribution."

How Does the Ambassador World Cup Work?

Just like the FIFA football world cup, the Ambassador World Cup is played in rounds, with teams competing to qualify for the next round.

We start a qualifying round, of which the top 32 will move to the group stage. This then gets whittled down to sixteen, then eight, then four in the final round. Customers can take part in different rounds depending on their appetite for engagement.

Those customers taking place in the qualifying and group stage have the benefit of multiple teams all searching for high-impact vulnerabilities to report. The early stages also engage a bigger pool of hackers from a wider range of countries, so if a customer wants to incentivize activity in specific regions, the early stages are where they want to get involved. Those taking part in the later rounds benefit from a more focused, specialized approach from the most impactful teams.

In each round, participating customer programs will receive an increase in new, fresh hacker engagement to drive engagement and activity to their program’s approved scope. They will experience dedicated focus on their programs from some of the best hackers in the world. Participating programs will also have the opportunity to become more ingrained with the global community, create essential partnerships between enterprise programs and the community, and build new connections that will continue beyond the competition.

Spotlight on a Bug

During the 2023 Ambassador World Cup, Daniel Le Gall aka blaklis, a member of Team France which came in 4th in the competition, uncovered a critical issue within the scope of Adobe Commerce. This discovery highlighted a vulnerability that could lead to remote code execution under specific conditions.

Blaklis conducted a thorough audit of the Adobe Commerce source code, which he knows quite well after having hunted on the Adobe bug bounty program for several years, leading to the identification of an intriguing flaw in the input validation process of a particular feature which resulted in a complex remote code execution. Remarkably, this flaw didn't require any form of authentication to be exploited. Blaklis presented this vulnerability during an on-site presentation, showcasing its technical complexity, and was also granted the "Best Bug" award for the final phase of the competition. Responding promptly, Adobe fixed the vulnerability by releasing a new software version and assigned CVE-2024-20758 to address this specific issue. Blaklis’s efforts are not only helping Adobe products to be more secure, but also improving the security of hundreds of thousands of stores and Adobe customers worldwide.

A remote code execution is often among the most critical types of vulnerabilities that can be found on software and could have led to severe impacts for these software users, considering the sensitive information the software handles. This vulnerability type found can be associated with the CWE-20 category "Improper Input Validation," where many injection-related issues manifest, each with diverse impacts and consequences.

How Can I Take Part?

Are you looking to bring new engagement to your program? Are you interested in expanding your program’s outreach to the global community? There’s still time to get involved in the 2024 World Cup, kicking off in late May. Reach out to your customer success manager to learn more about how your program can engage in the 2024 tournament!

HackerOne’s Ambassador World Cup 2024 is a competition that brings together regional teams of hackers, led by HackerOne’s global Brand Ambassadors, to identify impactful vulnerabilities in participating customer programs. 

“Capital One puts the security of our customers and our systems at the forefront of everything we do.  Live Hacking Events are a key component of our robust security testing strategy and are a unique and dynamic way to engage with the ethical hacking community, allowing us to form close partnerships with each of the hackers. Across industry, these types of events are considered a gold standard to ensure companies are approaching risk from every potential angle, and we're grateful for the hackers' hard work and partnership to help us further bolster our defenses."

— Kathryn Torelli, Bug Bounty Lead, Capital One

H1-305: By the Numbers

The participants:

• 52 participating researchers
• 22 countries represented
• 144 Collaborations

The results:

• Over 1,300 hours of reported testing conducted
• 105 valid reports
• 49 unique reporters
• $750,000+ total awards

The Hackers

Capital One considers LHEs essential to maintaining an industry-leading program. Live hacking events allow the best and brightest security researchers to collaborate in person. Every security researcher who joined Capital One at H1-305 added value to the program.

One hacker, @archangel, took a different approach at H1-305. Typically, @archangel is heavily involved in collaboration during live hacking events, but he decided to take this one solo. His hard work and effort paid off, earning him not only first place but also the title of the event’s Most Valuable Hacker. 

Congratulations to @archangel and the other winners of H1-305!

• First place: @archangel
• Second place: @rhynorater
• Third place: @avishai
• Exterminator (most critical/impactful vulnerability of the event): @stealthy
• Eliminator (best bug on a specific skill set): @fr4via
• Eradicator (best bug of the final event day): @CDL, @m0chan, @nagli
• Most Valuable Hacker (Community, Criticality, Consistency): @archangel 

“One of the noteworthy lessons learned for all security teams from this live hacking event was the inclusion of software and engineering teams from Capital One. It was exciting and powerful to observe the benefits of the live collaboration between Capital One engineering teams and the hacker community. The ability for engineers and hackers to ask live questions of each other created unique opportunities for learning and working together.”

— Alex Rice, CTO, HackerOne

Activities

Alongside hours of exciting hacking, hackers and the Capital One team enjoyed the beautiful Miami weather, food, and arts scene. At the Wynwood Walls museum, featuring hundreds of artists from over 20 countries, hackers were able to test their own artistic abilities by spray painting during the interactive portion of the museum. With delicious food trucks and great weather, it was a fun opportunity for everyone to explore Miami!

Thank you to all the H1-305 participants for making this live hacking event an amazing success, and to Capital One for our continued partnership for a safe and secure internet. Learn more information about live hacking events with HackerOne.

Last month, Capital One and 52 highly skilled ethical hackers from around the world came together in Miami, FL, USA for Capital One’s second live hacking event (LHE) with HackerOne. With help from this amazing group of hackers, Capital One put its products through rigorous stress testing, with the end goal of reducing risk and increasing security for their end users.

AS Watson Group knows this as well as anyone. As the world’s largest international health and beauty retailer, they are in charge of the security for a footprint that includes more than 16,400 stores in 29 markets, 5.5 billion customers, and 130,000 employees.  As part of their security strategy, they turned to HackerOne Bounty to help fortify their expanding digital presence and ensure that their assets remain as secure as possible as their attack surface changes.

We recently met with AS Watson’s Chief Information Security Officer (CISO), Feliks Voskoboynik, to learn how ethical hackers have helped with digital transformation and enabled his team to harden their attack surface. Read on to learn Feliks’ advice on including a bug bounty program as part of a security strategy, the lessons ethical hackers have provided, and what best practices he can share with other CISOs.  

Q: Tell us about AS Watson.

Feliks:

Established in 1841, AS Watson Group is the world’s largest international health and beauty retailer, with over 16,400 stores in 29 markets. In recent years, cybersecurity threats have been a growing concern that we cannot underestimate. The retail industry is a very attractive target for cybercriminals due to the retention of highly valuable customer information. We must protect this information from potential cyber threats, and that’s where cybersecurity comes in. At AS Watson Group, our IT Security team strives to continuously strengthen the cyber defense in the organization. Our ultimate goal is to keep our organization safe and secure to enable employees and customers to work and conduct business in a safe environment.  

Q: Do hackers help AS Watson with digital transformation goals?

Feliks: 

Every day, we strive to build a stronger international network and O+O (Offline plus Online / O plus O) platforms for customer connectivity. We focus on the O+O strategy, which makes seamless offline and online customer experiences. This digital transformation program induces a big attack surface for us, and our community of ethical hackers is helping us mitigate the risks and increase our security maturity. We wanted to have the possibility to invite a global hacking community because this is the easiest way to get top skilled hackers to assess the security of our assets.

Q: How do ethical hackers help identify vulnerability trends?

Feliks:

Several times, hackers helped us with different types of vulnerabilities related to e-commerce. The creativity of the findings increased the security awareness of our product and development teams to release secure software. Security researchers help us with testing new security tools, as well as the way we configure and deploy them. One example of this was when we wanted to roll out an anti-credential stuffing tool, and hackers helped us find the weak spots and mitigate them.

Q: How do ethical hackers help harden your attack surface? 

Feliks:

The creativity of hackers is key to hardening our attack surface. When we receive a creative proof of concept (POC) from a hacker, we can use that process to review and verify that the specific vulnerability (or a similar one) is not reproducible on new assets. This approach gives us insights into where potential vulnerabilities might be and led us to introduce new cross-checking activities as part of the investigation and remediation process to verify a single risk on multiple components, such as inherited code into new assets.

Q: How do you use vulnerability insights to train internal teams?

Feliks:

Specific findings of hackers enabled us to build a new secure code training program for our development teams. We monitor the trends of vulnerabilities and leverage them to build a training baseline to reduce the risks to our assets. The training program has helped us increase the quality of the code and reduce vulnerabilities. It’s also increased our prevention capabilities by shifting left as much as possible to secure the SDLC. We noticed a decrease in total valid reports over the years, and we lowered costs by remediating issues in live environments. 

Q: How do you report on the value of working with ethical hackers?

Feliks:

Considering our big attack surface, it’s a challenge to scale up penetration testing teams, even with third-party engagement. Our first KPI was on the resources we were saving compared to standard, time-boxed penetration testing activities. We also developed an internal KPI on vulnerability trends on specific brands, remediation, risk reduction, and more. With the community, you have many different areas of expertise compared to a single resource executing a time-boxed penetration test.

Q: What ROI do you expect to see from your bug bounty program? 

Feliks:

The ROI comes from the fact that we rely on HackerOne to find and deliver critical issues every day. Therefore, the ROI is that HackerOne finds issues daily.

Q: What advice would you give to other CISOs planning to start a bug bounty program?

Feliks:

Start with building a robust vulnerability management program to handle the reports properly and make the program scale. When you design the rules of engagement, you need to clearly understand the risks you want to prioritize and identify your risk appetite. 

When you start a program, you will engage a community that requires your continuous commitment. Hackers are like customers, and they require time and effort to establish and maintain a relationship. It is crucial to properly manage the program KPIs, time-to-response, time-to-bounty, etc., which requires a proper team to handle it. 

At AS Watson Group, we consider the community as an extension of our team. In addition, we organize and plan to do many different events and contests to keep the hackers engaged with our programs.

Q: What’s the biggest lesson you’ve learned from hackers?

Feliks:

Security is a journey, not a destination. No matter what you do or how secure your organization is, risks and vulnerabilities still exist. Engaging a community of researchers and ethical hackers ensures those with skills comparable to cybercriminals are testing your assets, which helps with findings and remediation and builds.

Learn more about AS Watson's bug bounty program, or get started on your own with HackerOne.

Retail and e-commerce brands are seeing significant growth due, in large part, to the digital transformation occurring in the industry. In today’s rapidly changing threat landscape, retailers are an attractive target for potential cybercriminals, with high amounts of customer data under their purview and a critical business need to deliver consistent customer experiences to the world’s shoppers.