Hackers make and break information technology (IT) for fun and profit. Marathon runners, paying homage to the spry Greek courier Pheidippides, run 26 miles -- just for fun. Thus, a “hackathon” is an extended opportunity to show off your 31337 skillz.
The first hackathon was sponsored by OpenBSD in 1999, at a software development event that was held in Canada for fear of violating US export rules on cryptography. In November 2020, Very Good Security (VGS) held its first “Hack Week,” during which we allowed our very own cyberpunks, as well as researchers from HackerOne, to take a crack at VGS systems.
A whole week is a lot of hacking, so it is important to eat your Wheaties. Further, a hacker should not forget that, when Pheidippides finished his marathon run from the battlefront to Athens, and delivered the briefest of intelligence reports (νικῶμεν, or “we won”), he died.
When our hacker-Spartans were forced to lay down their weapons, VGS and HackerOne researchers were eager to share their findings. The overall quality of the reports was excellent, and VGS undertook immediate mitigation. Our top three hackers, who each received a gift and VGS swag, were: 1) Mark Matviiv, 2) Igor Koponkin, and 3) Alexander Parhimovich.
At VGS, the primary goal is to learn as much as possible about vulnerability detection, reporting, and mitigation. Security auditing is tough: one must expect the unexpected, while maintaining system safety at all times. Therefore, the security team must work closely with the engineering teams, from initial guidance to dynamic discussions on risk management.
During Hack Week, collaboration is key. VGS takes care of its HackerOne researchers, and in the thick of combat, everyone is treated as an equal. Objective third-party perspectives are invaluable in assessing every aspect of VGS security, especially in testing new areas of our product. Quick help is always just an email away, at hackerone@verygoodsecurity.com.
Inevitably, Hack Week revealed numerous areas in which VGS could (and did) tighten the screws, specifically in terms of permission and documentation. Beyond that, it was awesome to find new comrades and deepen existing friendships, which will undoubtedly help to strengthen VGS security far into the future.
VGS will hold more hackathons, and there will be numerous upgrades. We aim to improve the overall workflow, from onboarding researchers to making sure that reporting happens in a consistent way. We will clarify the rules of engagement and augment our internal toolset. Finally, we will up the ante, and invest greater sums in our cash awards, gifts, and exclusive VGS swag.
If you have any questions about VGS Hack Week, or how we have used it to improve product security, please email support@verygoodsecurity.com. And if you would like to participate in a future Hack Week, please email hackerone@verygoodsecurity.com.