facebook noscript

VGS Hack Week 2020

December 17, 2020
engineering-default

Hackers make and break information technology (IT) for fun and profit. Marathon runners, paying homage to the spry Greek courier Pheidippides, run 26 miles -- just for fun. Thus, a “hackathon” is an extended opportunity to show off your 31337 skillz.

The first hackathon was sponsored by OpenBSD in 1999, at a software development event that was held in Canada for fear of violating US export rules on cryptography. In November 2020, Very Good Security (VGS) held its first “Hack Week,” during which we allowed our very own cyberpunks, as well as researchers from HackerOne, to take a crack at VGS systems.

A whole week is a lot of hacking, so it is important to eat your Wheaties. Further, a hacker should not forget that, when Pheidippides finished his marathon run from the battlefront to Athens, and delivered the briefest of intelligence reports (νικῶμεν, or “we won”), he died.

When our hacker-Spartans were forced to lay down their weapons, VGS and HackerOne researchers were eager to share their findings. The overall quality of the reports was excellent, and VGS undertook immediate mitigation. Our top three hackers, who each received a gift and VGS swag, were: 1) Mark Matviiv, 2) Igor Koponkin, and 3) Alexander Parhimovich.

At VGS, the primary goal is to learn as much as possible about vulnerability detection, reporting, and mitigation. Security auditing is tough: one must expect the unexpected, while maintaining system safety at all times. Therefore, the security team must work closely with the engineering teams, from initial guidance to dynamic discussions on risk management.

During Hack Week, collaboration is key. VGS takes care of its HackerOne researchers, and in the thick of combat, everyone is treated as an equal. Objective third-party perspectives are invaluable in assessing every aspect of VGS security, especially in testing new areas of our product. Quick help is always just an email away, at hackerone@verygoodsecurity.com.

Inevitably, Hack Week revealed numerous areas in which VGS could (and did) tighten the screws, specifically in terms of permission and documentation. Beyond that, it was awesome to find new comrades and deepen existing friendships, which will undoubtedly help to strengthen VGS security far into the future.

VGS will hold more hackathons, and there will be numerous upgrades. We aim to improve the overall workflow, from onboarding researchers to making sure that reporting happens in a consistent way. We will clarify the rules of engagement and augment our internal toolset. Finally, we will up the ante, and invest greater sums in our cash awards, gifts, and exclusive VGS swag.

If you have any questions about VGS Hack Week, or how we have used it to improve product security, please email support@verygoodsecurity.com. And if you would like to participate in a future Hack Week, please email hackerone@verygoodsecurity.com.

Mike Jensen Mike Jensen

Staff Application Security Engineer

Ken Geers Kenneth Geers, PhD

Information Security Analyst at VGS

Share

You Might also be interested in...

engineering-default

Is VGS Impacted by the SolarWinds Vulnerability?

Kathy Wang December 17, 2020

data-security-solutions-for-banks

How Today’s Data Security Solutions Are Failing Banks

Stefan Slattery December 15, 2020

your-data

Your Data is Your New Perimeter

Kenneth Geers, PhD December 3, 2020