Every bar stool, sofa cushion and deceptively uncomfortable wicker recliner is taken at this trendy, polished concrete co-working space, situated on the thirteenth floor of a central Sydney tower block.
The majority of the men here – they are mostly men, but around a quarter are women – have a beard of some description, most have not yet reached 30 and nearly everyone is wearing a T-shirt, jeans and sneakers.
It could be a scene from almost any city start-up office on a Friday afternoon, except the workers here – each fully engrossed in work at their laptops – have been flown in from five continents, and will eat tonight at Sydney’s most expensive restaurants before wandering back to their beds at the five-star Westin hotel over the road.
For the next few days, the floor is home to Atlassian’s Bug Bash event, the company’s first, for which the 30-odd so-called white hat hackers have been assembled to do what they do best: Find bugs in code.
The company is giving them more than just an all-expenses-paid trip for their troubles. For Atlassian the success of the Bugcrowd hosted event is measured in part by how much bounty money they get to give away. By Sunday night, between them, the bug hunters will have secured $110,000 in prizes.
The money is important – for around a fifth of bug hunters, bounties are their primary source of income – but that’s not what drives most gathered here today. They do it for the sheer thrill.
“It’s tremendous,” says Andre Baptista, known in the security community as 0xACB. The Portuguese 24-year-old describes the reaction he gets when showing his work to developers is usually one of “holy shit – what did you do?”
“The feeling is really great. But you have to be careful. With great power comes great responsibility,” he says with a grin.
Hacking all over the world
Every month since March this year, Baptista and fellow hacker Jose Sousa have been flown to a new city to perform, with two other colleagues from the University of Porto where they all work.
“We’re like a band: ‘C’mon let’s go, let’s go perform in Sydney, let’s go perform here’,” says Baptista, wearing hacker standard issue black T-shirt and jeans.
“I’m loving it; it’s changed my life over the last year,” adds 28-year-old Sousa, otherwise known as JLLiS.
Their invitation to the Sydney event, like for all the hackers present, comes as a result of their impressive track record. The Porto four were headhunted by Bugcrowd following some significant finds with another bug bounty operator, HackerOne.
It’s not cheap to bring them all the way to Sydney in the hope of giving them cash bounties. But for Atlassian it makes good business sense.
“The goal for us is we want finding an issue in any one of our products to be really, really hard. And a way to think about if it’s hard is to have as many people looking as possible, to have the best people looking, and then to make it really lucrative,” says Atlassian chief information security officer Adrian Ludwig.
Atlassian has been offering public bug bounties since last year. The concept has been around for some time, but has taken off in recent years. Google, Microsoft, Facebook, Samsung, Uber, Apple and Tesla all offer money-for-bugs schemes.
Ludwig says Atlassian already does automated source code scanning and invites third parties in to do pen testing, on top of the work of its own security function. But together with the bug bounties and Bug Bash event “these are overlapping protections with the hope that we’ll find everything,” he says.