As planed, the Nuit du hack (NDH) was a really nice and interesting event. I have not been at the NDH for a really long time and going back with the Protetkoid project was a real pleasure!
Between conferences, wargames and workshops, there were a lot of things to discover and enjoy, even we were Bug Bounty focused, sponsorship oblige.
The nuit du hack 2k16
before describing the event from Protektoid point of view, let me describe the event in general.
First, the arrival at Disney-country was really convenient for people from abroad. Then the Tic&Tac hotel, that is something!. Direction the organizer meeting room on the conference building to meet with Virtualabs ad the HZV team.... finished at 1am. The hardest part was to wake up the next day at 6.30 knowing it will be a no-sleep day ..
Then, everything just went a little faster: VIP badge, complete check-up by the Disney team. Let's say they were a little paranoid: they did not believe me when I said my suitcase was full of mugs. What, that is standard, no? Then Protektoid Bug bounty stand setup and couple of time to rest and discover how huge the event is.
Nothing similar to Toulouse in 2002 !!! Each room is bigger than the other: A wargame zone where 1.000 people could easily fit in, a workshop zone for more than 200 people, a CTF room for 10 teams... A crazy organization as we like them!
The end of the event - 6.30am
The Nuit du hack, this is also a story. I forgot the end of the "geek" nights at 6.20am. Forgetting this one will take a lot of time. A nice souvenir from 20 years: I enjoyed a Rambo game ...
Protektoid at the Nuit du Hack
First of all, a big thanks to those who joined the bug bounty. This was a really nice experience. The Bounty Factory team (https://bountyfactory.io) told us, we were not disappointed! And, obviously, a big thanks the 3 hunters who reported security bugs during the event.
A review of our beliefs
I think that being involved in a bug bounty program, this is first all accepting to be told to review our one beliefs. If you start a bounty program with that in mind, be sure that you will be told so: doubts, could sweats and other feelings guaranteed. I could patch real time and take reports into account to improve the system in real time, so this helped a little!
The main learning we got was that securing a project is not easy, even with all the background you can have as it easy to miss something, forgot or neglect a problem that you would flag as "technical minor issue" but it should have been "technical minor issue that can lead a security breach if-you-do-not-open-your-eyes-right-now". In our case, a simple error on server cloning (to generate server for the bounty program) was the cause of the two main security bugs reported. We are talking about 14 characters here ....
Conclusion : cloning a server is not that simple and not without potential security issues. We are now aware of that and this is integrated into our processes for the next cloning we will have to do for the end-user platform scaling.
These breaches would have been responsible for the leakage of part of our IP. But end user data were safe as totally separated from the software IP source code.
Another way to think
The bug bounty program also let anyone face people who think different. For instance, it is not obvious that an API made for mobile app without webkit could have been used to generated specific links on email and produce XSS attacks on web browsers. Well, yes, that is possible, if you think "out of the mobile-app box". Even if the attack scope was limited in the current state of the project, this way to interact with the API could have had other consequences on the future, before we patch it.
The bug bounty has been a really great experience for us and we will try again the adventure after next major release of the project!
Note that if you are interested in being part of the beta-testers and screening the next releases before everyone, you can join the Early Preview community at https://plus.google.com/communities/101802986330867597124