A Hackday is an event arranged for volunteer white hat hackers with the aim to search for security weaknesses in a customer’s systems. The hackers work in teams. The severity of the weaknesses and vulnerabilities found as a result of the hacking, as well as the quality of the reports are evaluated by a panel of experts (jury team) during the day. The communication with the hackers is real-time and at best it has the characteristics of gameplay. The hackers participating are typically paid a small one-time fee for participating, and they are offered practical premises, network connections as well as lunch and excellent opportunities to build networks. The weaknesses that the hackers find can also be compensated for according to the principle of bug bounty rewarding.
The idea with organizing a Hackday is to find as many data security weaknesses as possible in a short time, compared to typical data security audits or penetration testing performed by third parties. The object that the hackers work on may be in a mature development stage or already in open production.
What Mint Security delivers
We know how to identify the resources required for organizing the event, and we know the contractual issues and the hackers’ expectations. Furthermore, we know how to guide the planning of the event and evaluate the maturity and data security of the systems from the point of view of the arrangements.
The system and the environment the Hackday tests must be defined accurately, and the boundaries of the object to be hacked must be identifiable. We participate in the identification, definition and planning of the technical preconditions. Our experience helps to identify potential problem areas that should be excluded from hacking. It is essential that the observations made during the Hackday can be reported smoothly, and if the customer does not have a system for semi-anonymous reporting and communication that the hacker teams can utilize during the day, we can bring a reporting system to the event. The customer will not get to keep the reporting system, but the customer gets all the raw data. Based on the report data, we also make a final report according to the customer’s wishes.
During the Hackday we also participate as a member in the expert panel, whose task is to evaluate the quality and severity of the hacker’s findings in real-time. We are also able to provide independent experts to the expert panel. Mint Security has a model for assessing the fee to be paid to the hackers for each finding.
Customer needs and challenges to be solved
Customer needs may vary according to the organization’s level of competence. In an organization where security is strongly present in the day-to-day operations, many tasks of the planning phase or the entire planning can be done by the customer. We bring the expertise needed to cover all the requirements. The customer must always be closely involved when planning and organizing a Hackday.
Through our network we can inform hackers that a Hackday will be arranged.
The customer is always responsible for coordinating the fixes to the discovered security vulnerabilities, but we can help with this work as well.
More details about our methods and tools
Planning a Hackday
The planning consists of making a background survey, defining the boundaries and the target environment, workshops and follow-up of the tasks according to the target to be hacked. The planning also covers contractual and communicative issues as well as the definition of the tasks and configuration of the assessment team. One of the most important tasks is to plan the road map for the day and the instructions to be given to the hackers.
The event day
In coordinating the event day, we participate in the following tasks, according to the customer’s needs: reception of the hackers, guidance of the assessment team and participation in its work, maintenance of the report system, provision of data sheets to the hackers during the day, coordination of possible disturbances in the target environment and other possible tasks.
We bring to the event as reporting tool an Atlassian JIRA platform, on which we have built a complete Hackday system. The system generates a comprehensive final report.