Knowledge Exchange
Participants with different specialisms (web, mobile, network, cloud, reversing) pair up and swap techniques. What usually takes years to pick up passively happens in a few focused hours.
Community & Social Impact
Hack Hour
A collaborative cybersecurity initiative where security researchers and hackers come together for focused working sessions targeting bug bounty programmes, penetration testing challenges and live research. Participants exchange techniques, tooling and tricks, accelerating careers on both sides of the table.
Hack Hour is a collaborative initiative by Secure Purple where security researchers and hackers work together during scheduled, focused sessions. The format is simple: scoped target, small group, live collaboration, live exploitation, and open discussion about what is working, what isn't, and why.
It began during the COVID-19 pandemic, when isolated learners needed a way to stay sharp and senior researchers wanted a way to pay forward the mentorship they'd received. Five years later, Hack Hour runs either weekly or twice a month, and many of its regulars have landed their first bug bounty payouts, internships and full-time security roles through peers they met at a session.
Participants span experience levels (from bug bounty veterans to complete newcomers) and specialisms (web, mobile, network, cloud and reversing). The common thread is a willingness to work, share and learn in the open. No gatekeeping, no grandstanding. Just live targets, shared screens, and the kind of technique exchange that accelerates careers on both sides of the table.
"What usually takes years to pick up passively happens here in a few focused hours, because everyone in the room is actually hunting, not watching slides."
Hack Hour Regular
What Happens In A Session
Live Collaboration On Real Targets
Each Hack Hour pairs junior practitioners with senior researchers to work a scoped target in real time: bug bounty program, authorised pentest scope or an opt-in asset from a partner company.
Collaborative Hunting
Groups co-work on a shared target with live recon, live exploitation attempts and live discussion. Findings, false leads and the reasoning in between are all shared openly.
Career Acceleration
The community grew out of the COVID-19 pandemic as a way for isolated learners to stay sharp. Many regulars land their first bug bounty payouts, internships and full-time roles through peers at Hack Hour.
How To Apply
Who Can Join & How
Open to both newcomers and experienced professionals: no gatekeeping on skill level, but a short application keeps the sessions focused and the ratios balanced.
- 01
Check Eligibility
You can currently attend in person in the Twin Cities (Islamabad or Rawalpindi). Remote editions are expanding. Email to be added to the waitlist.
- 02
Send Your CV
Email ask@securepurple.com with "Hack Hour" in the subject line and a short CV or portfolio link. Bounty profiles, CTF writeups and GitHub all count.
- 03
Get Matched
Applicants are matched into small groups by interest area (web, mobile, cloud, network) and paired with a senior mentor who runs the session.
- 04
Show Up & Hunt
Attend your scheduled session, work a live target with your group, share findings and keep collaborating in the community channel afterwards.
For Companies
Bring A Scope, Leave With Findings
Companies can submit opt-in testing scopes for Hack Hour groups to work against: a high-leverage way to stress-test an application or environment while directly supporting community talent.
- WEB
- MOBILE
- NET
- CLOUD
Email ask@securepurple.com to propose a scope. All engagements run under a signed authorisation and rules-of-engagement document before any testing begins.
The Bounty Ledger
What The Last Twelve Weeks Produced
A rolling snapshot of what Hack Hour groups have actually surfaced: bounty payouts, severity mix and target classes. Figures refresh at the end of each session batch; all findings are responsibly disclosed under signed scope.
Bounties Paid (12w)
$29,930
↑ $9,450 vs previous quarter
Critical Findings
11
All responsibly disclosed
High & Medium
47
Web · Mobile · Cloud · Network
Active Hunters
38
Twin Cities + remote waitlist
Weekly Bounty Payouts
Last 12 sessions · USD
Standard session
Critical-heavy week
Recent Findings
Live feed-
CRIT
Broken access control on admin export endpoint Session W12 · Web · $1,250 payout
-
HIGH
iOS keychain storing session token in plaintext Session W11 · Mobile · $750 payout
-
CRIT
Misconfigured IAM role enabled S3 bucket takeover Session W10 · Cloud · $1,800 payout
-
HIGH
Authentication bypass via JWT kid parameter Session W08 · Web · $900 payout
-
MED
Stored-XSS chain via profile bio field Session W07 · Web · $300 payout
-
CRIT
Remote code execution via server-side template injection Session W05 · Web · $2,200 payout
Common Questions
Everything You Might Want To Ask
For applicants, partners and companies thinking about submitting a scope.
Who is Hack Hour for?
Both newcomers and experienced professionals. Sessions are intentionally mixed so that junior practitioners learn from the seniors they're paired with, and seniors sharpen their teaching and articulation skills.
What do I need to apply?
Email ask@securepurple.com with "Hack Hour" in the subject line and a short CV or portfolio link. Bug bounty profiles, CTF writeups, GitHub repositories and blog posts all count as evidence.
Do I need to be in Islamabad or Rawalpindi?
Currently, yes. Most sessions run in person in the Twin Cities. Remote editions are being added. Email to be added to the remote waitlist and we'll notify you when your region is covered.
How secure are your practices?
All testing runs against authorised scopes only: either public bug bounty programmes or partner scopes that have signed authorisation and rules-of-engagement documents. Participants are briefed on scope boundaries before every session.
What industries submit scopes?
Submissions have come from healthcare, finance, retail, education and SaaS. Each scope is reviewed for suitability and signed off before it enters the session rotation.
Can you customise scopes for our company?
Yes. Scopes can be tailored: web applications, mobile apps, network infrastructure or cloud environments. We work with you to define boundaries, target list and expected deliverables before anything is tested.
What types of cyber threats do you protect against?
Sessions produce findings across the full OWASP Top 10, mobile client-side issues, cloud misconfiguration, IAM abuse, network exposure and business-logic flaws: the same classes of threat that mature pentest engagements surface.
What is your approach to incident response during a session?
If a finding surfaces that requires urgent attention, the mentor stops the session for that group and coordinates directly with the scope owner. Detection, containment and escalation happen on the same call.
Do you offer training for employees?
Yes, both through Hack Hour and our broader training practice. Employee-facing programmes are designed to be engaging and practical rather than compliance-theatre.
How often should we update our cybersecurity measures?
Cybersecurity is an ongoing process. We recommend regular assessments and a defined update cadence. The Hack Hour programme can be used as part of a continuous-assessment loop rather than a one-off test.
More Community Programmes
View all programmes
Explore The Rest Of Our Community Work
From the mentor table
What the senior voices say.
What Adnan's built with Hack Hour is rare: a community session where the bug quality and the teaching quality are both genuinely high. The researchers coming through it are doing serious work.