How cybersecurity hackathons boost innovation and talent discovery

Microsoft, Tesla, Mozilla, and Google were some of the few companies that were ‘hacked’ by white hat hackers at the Pwn2Own Hackathon 2024 to exploit critical vulnerabilities and bugs. The highly sought-after cybersecurity hackathon in Vancouver, Canada between March 21-22, where contestants demonstrated 29 zero-day vulnerabilities and collected a total of $1,132,500 in prize money.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference where security researchers and hackers demonstrate their skills by finding and exploiting vulnerabilities in popular software and operating systems. 

Security hackathons bring together product and security experts to find security vulnerabilities within a product. The participants offer a third-person view of a company’s security posture and detect gaping holes that its internal security teams may have overlooked. To be sure, the idea for Pwn2Own hackathon was conceived by Dragus Ruiu (also the organiser of CanSecWest), partly motivated by iPhone maker Apple’s stance which ‘trivialises security’.

“Cybersecurity hackathons offer a cost-effective and dynamic way for companies to stay ahead of the curve and fortify their defenses against ever-evolving cyber threats. Take bug-bounty hackathons for example — in this scenario — thousands of ethical hackers descend upon your company's digital fortress for a concentrated “assault” resulting in controlled chaos. This kind of chaos is the heart of a bug bounty hackathon. These events attract a global pool of security researchers with diverse skill sets and fresh perspectives,” said Vishwastama Shukla, chief technology officer at HackerEarth, an enterprise software maker that helps companies hire technical talent.

“One may argue that such a test can be done internally within an organisation through penetration testing with a predefined scope, hackathons unleash a relentless wave of creative attempts to breach defenses, mimicking real-world cyberattacks,” he added. 

Companies consider hackathons a ‘turbo-boost’ for cybersecurity through industry collaboration. One such example is a cloud cybersecurity company that organised its first hackathon — Hackaday — in December. “Zscaler’s first-ever Hackday is a testament to the transformative impact of hackathons. The event brought together our 150 product engineers to brainstorm and create prototypes aimed at enhancing our products. This initiative not only helped us develop new features but also focused on making our products more robust and supportable, ensuring they meet the evolving needs of our customers,” explained Sanjay Kalra, Vice President, Product Management — Engineering, Zscaler.

Once vulnerabilities or bugs are identified during such hackathons, the company gets to fix them within a stipulated time period. At the Pwn2Own event, companies are given 90 days to release security fixes for zero-day vulnerabilities. 

Hackathons serve as a prime platform for recruiters seeking top talent, particularly in the fiercely competitive cybersecurity sector. These events often complement traditional hiring methods, providing recruiters with a valuable opportunity to identify skilled individuals.  “The biggest intended/unintended benefit of hackathons for organisations is to find hidden talent, explore various out-of-the-box solutions, and attract like-minded organisations and skilled talent. Hackathons can unearth hidden talent within your organisation. Employees who may not have the opportunity to showcase their security expertise in their day-to-day roles can shine during a hackathon. This can help security teams discover skilled individuals who could be potential future recruits,” explained Neeti Sharma, CEO, TeamLease Digital.

According to the 2023 Global Risk Survey by global consulting firm PwC, cybersecurity threats are now considered the most significant risk faced by Indian companies across various sizes and industries. Over 38% of respondents feel highly or extremely exposed to these threats. This marks a notable shift from the 2022 survey, where cybersecurity ranked third but has since risen to the number one spot on the risk radar. With the emergence of increasingly sophisticated artificial intelligence (AI) tools and systems, this risk is expected to intensify further. Hence, it becomes imperative for enterprises to leverage all available channels, including hackathons, to enhance their security posture and identify relevant talent in the cybersecurity field.