August 19, 2022

Blowing Up Bugs in Belgium: Live Hacking Event

Note: Verizon Media is now known as Yahoo.

A racecar smashing a bug.

There are two main challenges all Bug Bounty programs face:

  • Security researchers end up self-selecting into specific programs — either because of preference or interest — limiting the talent pool of hackers any company habitually collaborates with. 
  • Each researcher often only specializes in a specific class of bug. 

The collision of those two facts creates a talent conundrum. And live events, we think, are a partial answer to this increasingly difficult challenge. 

These meetings create the opportunity to maintain the attention of highly-coveted researchers over the course of days while helping us reach new geographic communities of hackers with differing points of view. 

That’s why our Bug Bounty team is in Antwerp this week. We’re kicking off our first in-person event in more than two years today. 

The event is a milestone in the eight-year history of our program. In part because the majority of the researchers we’ve engaged with have come from Southeast Asia, North America, and South America. 

As a result, Europe is largely greenfield.

The Attendees

In all, 40 security researchers, most of whom are based throughout Europe, the Middle East, and Africa (EMEA), are spending the next three days with us. 

They’ll focus on a specific scope involving one of Yahoo’s open source projects, as well as accompany us to the Belgium Grand Prix — hence the illustrated race car motif.  

And they’ll come from one of four primary groups.

From our Elite Program (read more about that below!), we’ve invited all 10 members.  

From a cohort among our loyal researchers, who have consistently hacked on our public program for several years, we’ve invited five hackers. 

From our previous hacking event, which took place in May 2022, we invited three researchers who submitted super valuable bugs.

The rest were sourced from our vendor — Intigriti — which is running the event in partnership with the Paranoids. Intigriti, you guessed it, is headquartered in Antwerp.  

These researchers are top European performers on their platform. 

The Target 

But, just like our virtual event —which focused on the OWASP Core Rule Set (CRS), an open-source tool that protects Yahoo products and services — our in-person meeting centers on another open source technology: Vespa, a text search engine tool. -

In September 2017, Yahoo open-sourced Vespa. The tool decides what to show someone when they query local results, images, and answers to questions. Lightning-fast.  

Yahoo still uses Vespa in Mail and the main Yahoo search engine. And the tool handles more than 500,000 queries per second, serving nearly a billion users.  

Our live event in Antwerp will enable the Paranoids to support that work further.

Getting There, Next Time 

Meanwhile, if you’re interested in qualifying for future events, the safest way to do so is to earn your way into our Elite Program

The program runs in 60-to-90-day cycles. 

And every cycle, the top five security researchers that have earned the most through the public program receive invites to replace the bottom five researchers by bounties in the Elite program

 (There are other important qualifiers: researchers must be over 18;  completed HackerOne’s Clear Program; and must not live in a country sanctioned by the U.S. government.) 

Elite members have opportunities to earn bigger bounties and be paid quicker. In some cases, participants receive payments in days or weeks instead of months. 

They also get special attention. They are given direct contact with the Paranoids’ product security team over a private Slack channel. 

Plus, all Elite Program participants receive invites to all of the Paranoids’ hacking events. Virtual or in-person meetups.

Indeed, for the Paranoids, these live events are crucial. They scale our ability to address systemic weaknesses to an ever-widening scope. And for security researchers, these forums offer an excellent opportunity to have an asymmetric impact on our services. 

Ones that are becoming increasingly important for all the ways we all connect.     

About the Authors: 

Arjun Govindaraju is a pragmatic security professional working in the field of Application security for over a decade. He recently took over as program lead for the bug bounty program. 

Previously, he was a Principal Security Engineer on Yahoo’s Product Security team. Arjun is passionate about securing consumer data, particularly consumer emails. 

Jonathon Robin  leads operations for the Paranoids’ bug bounty program. He was previously on the team as an analyst. 

Robin is ultimately responsible for handling incoming reports, promotions, awards, and researcher relations, among many other things. 

Are you looking to get in touch because of something you found on 

Yahoo properties? Reach out to us using the contact information you find here: https://www.yahoo.com/.well-known/security.txt