Testathon Berlin 2018
My friend has invited me to that event. If you don't know about that — it's a hackathon for testers. And I thought that it will be the same event as organized by HackerOne time to time.
But it was wrong expectations.
So when I already finished my application submission, two persons from that event pinged me in LinkedIn with question to join to that event.
Seems that on that period of time they don’t have to much participants from Germany and they started bombing all QA with messages in LinkedIn.
But the main thing is — there is screening process. And you can be declined. Don’t know what the reasons could be. For sure screening based not only on the experience.
I wanna start about event it self with positive things:
✅ Food was perfect.
✅ Free T-shirts for all participants was also nice.
✅ Presenter on stage was cool and energetic guy.
✅ Place was perfect. In the city center. Huge open space.
✅ You can find some friends in QA area.
And that’s it. From the competition side it was absolutely bad organized.
Next i will explain you few things which frustrate me a lot.
❌ Wifi connection wasn’t stable.
I saw in many articles before that all previous event’s was with technical issue with wifi connection. And that problem still there. So strange that they didn’t try to resolve that issue. The way of resolving could be with different hotspots with different credentials which can grouped by participants. Problems with the connection greatly hindered the work.
❌ Moderator process with bugs was unclear. No feedback. No visual results of your work.
Presenter on stage informed us that all bugs will be log in private jira. And all bugs will have moderation process.
As I remembered — All moderators placed in Romania or Bulgaria.
After that we will have some score points which based on severity of issues which we found. Sounds cool. But it wasn’t so for sure.
No one seen any scores. No one offered to participants any results. It was only one feedback once with my colleague. His bug was rejected with reason — need more details. Also was no feedbacks with duplicated bugs. And if your problem was underestimated — you can not do anything. You just don’t know about it.
In my case i found two interesting bugs (actually i found around 8–9 bugs with medium and high severity).
First one was critical and can lead to Memory Corruption (Denial Service Attack).
Second bug was simple. And also can lead to Memory Corruption.
Was i rewarded somehow? No. Was I the first person who found that bugs — yes. Because of my findings they did some changes in BugTracker tool to log my bugs.
❌ Non technical persons who should support you in testing session.
That point confused me so much!!! In my first testing session i found a few backend bugs. Product Owner(supporter) told me that issue is not valid and I SHOULDN’T report about that. Because no one will do that. No one will make malicious file.
Sorry, what ????
The main idea of that event was to check as much as possible with localization things. But if they not focused on backend things — it’s shouldn’t be rejected from responsible persons.
❌ Non secure access to the internal bug tracker.
I was able to log in with any account of any participants. Login name was email@example.com and password was username1. So it was possible to login under the user with number 1,2,3 till 50. And it could be funny if someone just changed regular password to bug tracker in the middle of testing session for all users. Why the organizers didn’t prepared with more personal credentials for all participants — i don’t know. For sure it was possible. Because all participants was known. And all participants was invited to that event.
❌ Testing sessions.
It’s pretty nice methodology of testing. But it was organized with strange things. In first 10 min you can explore target. In next 40 min you can start testing with logging all bugs. And that it. If you planing to make normal RECON, reverse engineering, fuzzing — no chance for doing this. Too short time for productive work. If you testing always in comfort feelings — it’s not your place. With very short time frame of testing it’s not possible to go deep. And to find super cool bugs and vulnerabilities.
❌ Awarding list.
Awarding list was super strange. It was Most Devices award. Also it was — Most Active on Social Media, Most Talkative Person. It’s just “fun” awards with absolutely small prizes. And that was kind a good thing to not have to much official atmosphere.
Also it was award for — Best Team, Best QA, Best Insight.
But without any announced results — it’s impossible to understand why that persons stayed on the stage!
In my opinion it’s interesting event with a good idea and intent but it was so many cons. It will be ok if it’s just organized for a first time. Current event wasn’t first. And i think next time i will not apply for that. Bunch of interesting bugs was founded by me. Spent all day. Reached 2 T-Shirts. Drank one headache pill. Seems that I could spent my day with much more interesting results. 10–15 peoples can appear in comments and say that it was so much fun and that was “best day of their life”. But that persons can’t say why they was rewarded. And they will not be able to say that they have acquired some kind of knowledge or experience.
May be organizers and sponsors thought that it’s impossible to share results and findings because it’s secret information. But!!!
First — All participants signed NDA at the entrance (That's why I don't share any project names or technical things).
Second — Jira credentials wasn’t secret and it was possible to logged in under another participant and watch his bugs (results).
Non visual results — the main problem of that “competition”.
See you soon with other much interesting articles of my Penetration testing journey.
PS: Already connected with main guy from Testathon company. He was grateful for my comments and said that he would try to correct all existing problems in the next events. Thanks for that talk, Ronald 😉