PUMA live hacking event revisited: leHACK’s biggest Bug Bounty yet

July 10, 2026

YesWeHack live hacking event with PUMA at leHACK

The benefits of in-person collaboration were on full display during our latest live hacking event at leHACK, with an iconic brand – sportswear giant PUMA – once again providing the targets in Paris.

The leaderboard was topped by two hunters working as a team, while face-to-face interactions between hunters, triagers and the PUMA Group’s security team made a decisive difference when it came to evaluating and validating complex vulnerabilities:

“The PUMA team faced several challenging reports involving business logic and workflow vulnerabilities – a common issue in e-commerce, where frontend and backend behaviours must be analysed together. As these types of flaws can be a bit complex, you could see back and forth between small gatherings of Puma team members (both security and e-commerce specialists), hunters and YesWeHack triagers and customer success managers.
“This is where the collaborative format proves invaluable: you can analyse issues on the spot, in depth, with the most knowledgeable persons, making it a one-of-a-kind experience.”
Tristan LEWITTE, global lead CSM, YesWeHack
Laptops at the ready: YesWeHack and PUMA teams are well prepared

AI has of course been the topic du jour in Bug Bounty recently, and the beneficial impact of LLMs – when wielded by hunters with the expertise to deploy them wisely – was apparent to our triage team:

“This edition of leHACK was a resounding success on every level. When AI is used wisely, the most astute hunters are able to identify and exploit highly valuable vulnerabilities that provide significant added value to the client! The YesWeHack triage team was on hand throughout the event and handled over 200 reports with excellence and in record time!”
Adrien Jeanneau, VP security analyst, YesWeHack
The hunt is underway
All smiles: The PUMA team are in the mood to meet hunters and process bugs

A word from the winners

That said, the event also provided compelling evidence of the enduring competitiveness of manual hunting: the overall winners, who also discovered the bug with the biggest impact, deliberately chose not to use automation. For W0rty and Vozec, pooling their considerable expertise offered a distinctly human advantage. Human ingenuity still matters:

“We chose to work by hand, without automated tooling, because the scope was focused on just a few well-defined sites. And since we were working as a pair, we could cover more surface quickly.”
Vozec
🥇 Congratulations to the overall winners: W0rty and Vozec 👏

Interestingly, the duo’s stellar performance belied their initial concerns about the challenge ahead:

“The event was great. I loved the proximity with the program triagers, being able to get useful information from them about the bugs we found. I was a bit stressed when I first read the scope: e-commerce platforms using Salesforce, Magento and PrestaShop, which, in our minds, are more secure than others. We had the chance to be the first to find documentation of a custom API, where we found most of our bugs during the event.”
Worty
“It was a great event, and it really feels good to get together and go after a common target for a few hours. It was also pretty stressful: you know that very good hunters are looking at the same scopes at the same time, so on top of being precise, you have to be fast.”
Arthur Deloffre aka Vozec
In the ZONE!
And breathe: a break from the zone

While Vozec emphasised the value of hunting at a brisk pace, second-placed swdb underscored the rewards for taking time over the first phase:

“I spent quite a bit of time on recon at the start, exploring the new scope in depth – particularly regarding auth and IDORs – and it paid off later on. What stands out most for me was the atmosphere: a YesWeHack team that was always available and supportive, and great chemistry among the hunters.”
swdb
Podium winners 👏
A cool t-shirt design, no?

More hunters, more time to hunt

Patience was an even greater virtue than usual at the leHACK live Bug Bounty, with hunters having 31 hours to hunt. Unlike previous live hacking events at leHACK, the bug hunt kicked off on the Friday, day one of the conference, instead of the second – giving hackers much longer to research targets, test hypotheses and craft PoCs.

Credit is also due to Perce, who finished third, only narrowly behind swdb, as well as Laluka and p4st1s, who notched the first bug of the event.

🥉Perce with his award for 3rd place 👏

Congratulations to all our winners, as well as everyone who found bugs and earned a place on our final leaderboard:

🥇W0rty and Vozec
🥈 swdb
🥉 Perce
🩸 First Blood: Laluka and p4st1s
💥 Biggest Impact: W0rty and Vozec

And thank you to the many other hunters who helped to harden PUMA’s systems. The leaderboard featured an unprecedented 71 hunters, with many more also taking part.

First Blood! 🩸 Laluka and p4st1s
Up for grabs: the awards before they had owners

An iconic brand

A huge thank you of course to PUMA Group for entrusting us with organising this event, which built on the success of their existing private program. It’s truly an honour to help harden the systems of such an iconic brand. Founded in Germany in 1948, PUMA is one of the world’s leading sports brands, selling footwear, clothing and accessories for a wide variety of sports in more than 120 countries.

“This was a great opportunity to introduce hunters to five new subdomains, before we add them to our main program later. It was also a great opportunity to discuss findings with hunters.
“Preparing for the event, the security engineering team discussed with the e-commerce team how to make the scope interesting for everyone. And we made sure everyone in the team was available to provide quick responses and quick remediation.”
“This was our first experience of a live hacking event. The YesWeHack team advised us at every step: with marketing, the scope, triage, communication with hunters. It saved our time and helped us concentrate on validation of issues and internal communications.”
Sofia Rodionova, Senior Cyber Security Engineer, PUMA
The PUMA team is relaxed but ready
“What makes a difference was interacting with the researchers and getting to understand their thought process and approach. I’m amazed at how they spent time understanding PUMA’s digital platform through the user experience, and from there, understanding the workflow, the business logic and how the services connect behind the scenes.”
Nyzza Alvarado, junior cybersecurity engineer, PUMA
“It was a pleasure working alongside the PUMA team. From the very first findings to the final hours of the program, they remained highly responsive and engaged in discussions with researchers. Together with our triage team, they helped create a collaborative and dynamic environment that was greatly appreciated by the hunters.
“Throughout the event, PUMA and our triage team worked closely together to ensure findings were reviewed and reports were processed efficiently. This responsiveness was greatly appreciated by participating hunters and contributed to the overall success of the event.”
Philippine Ovigneur, YesWeHack customer success manager for the PUMA Group

Should your organisation hold a live hacking event?

Live Hacking Events are hugely effective when the circumstances are right. We can advise you on whether a Live Bug Bounty meets your current security testing needs.

The YesWeHack team enjoy their job 😎

YesWeHack also discussed our Bug Bounty platform with leHACK attendees and handed out swag