1
 
 
Account
In your account you can view the status of your application, save incomplete applications and view current news and events
May 11, 2023

YesWeHack and OTTO stage Live Bug Bounty Hunting event

What is the article about?

At this year's Nullcon Berlin, the international IT security conference that brings hundreds of top experts together, we staged a live Bug Bounty Hunt together with YesWeHack, a leading provider of bug bounty services. Around 40 crack security researchers pitched in to subject OTTO's infrastructure security to a hardcore test. This was a welcome chance for us to check our Web applications for security loopholes and learn from a personal exchange with leading-edge researchers at the same time.

What is Bug Bounty Hunting?

Bug Bounty Hunting lets IT security researchers pinpoint and report vulnerabilities in systems in a fully legal way. What's more, the Bounty Hunters can look forward to a financial reward for their efforts. This concept is an officially sanctioned, industry-recognised approach to improving systems' IT security.

The result

Through our collaboration with YesWeHack and our direct interaction with top security researchers we were able to identify and eliminate potential vulnerabilities in real time. For instance, OTTO's own systems were tested for the OWASP Top 10 using the latest tools and methodologies, but also for other vulnerabilities such as a subdomain takeover, in which an attacker gains control over an expired subdomain and misuses it for malicious purposes. Alongside www.otto.de, the security researchers tested numerous other Web applications as well as the OTTO mobile app.

Teilnehmende des Live Bug Bounty Huntings mittendrin
Teilnehmende des Live Bug Bounty Huntings mittendrin

At Nullcon the researchers praised the high security level of the OTTO systems, as it turned out to be tough for them to find chinks in our armour. Nevertheless, they did highlight some interesting vulnerabilities, enabling us to act quickly to maximise our infrastructure security. Some of the attack vectors were extremely specialised, requiring the full creativity and depth of experience of the Bug Bounty Hunters to produce validated findings. Our own OTTO security analysts reviewed and evaluated all vulnerability reports.

The approach

The security researchers selected very individual toolset spectrums which ranged from 'standards' such as curl and dig – already installed in our current operating systems – to fully automated, cloud-based tools that can be scaled as necessary. All participants opted to include the Portswigger Burp suite. However, it was also evident that many of them were applying self-developed tools scripted in Python or Bash, for example, to validate potential attack vectors rapidly. Expertise in prototyping was a clear advantage, because speed played a decisive role if you wanted to be first to report a vulnerability in order to cash in for it!

This short YouTube clip summarises the highlights of the event and communicates the lively atmosphere at Nullcon. 

Conclusion

chAm Ende der zwei Tage wurde nicht nur der „Most Valuable Hacker“ gekürt, sondern auch die These bestätigt, dass Sicherheit kein fixer Zustand ist, der erreicht werden kann, sondern ein Thema, an dem kontinuierlich gearbeitet werden muss. Wir als Unternehmen haben diese Veranstaltung genutzt, um unsere internen Prozesse und Tools weiter zu verbessern, damit wir in der Lage sind schnell auf potenzielle Bedrohungen zu reagieren. Die Erkenntnisse aus dieser Veranstaltung nutzen wir, um unsere Softwareentwickler*innen darin zu unterstützen, auch in Zukunft sichere Applikationen und die dafür notwendige IT-Infrastruktur aufzubauen.

Wenn du eine Frage an das Team hast, kommentiere gerne unter dem Artikel. Ich melde mich schnellstmöglich zurück.


Photocredits @YesWeHack

Want to be part of our team?

3 people like this.

0No comments yet.

Write a comment
Answer to: Reply directly to the topic

Written by

Andreas Wienes
Andreas Wienes
(former) IT Security Analyst at OTTO

Similar Articles

We want to improve out content with your feedback.

How interesting is this blogpost?

We have received your feedback.

Allow cookies?

OTTO and three partners need your consent (click on "OK") for individual data uses in order to store and/or retrieve information on your device (IP address, user ID, browser information).
Data is used for personalized ads and content, ad and content measurement, and to gain insights about target groups and product development. More information on consent can be found here at any time. You can refuse your consent at any time by clicking on the link "refuse cookies".

Data uses

OTTO works with partners who also process data retrieved from your end device (tracking data) for their own purposes (e.g. profiling) / for the purposes of third parties. Against this background, not only the collection of tracking data, but also its further processing by these providers requires consent. The tracking data will only be collected when you click on the "OK" button in the banner on otto.de. The partners are the following companies:
Google Ireland Limited, Meta Platforms Ireland Limited, LinkedIn Ireland Unlimited Company
For more information on the data processing by these partners, please see the privacy policy at otto.de/jobs. The information can also be accessed via a link in the banner.
You can also withdraw your consent at any time without giving any reason by clicking on the button 'Cookie Settings' in the footer of the website and 'Refuse Cookies'.