The Cyber Security Plan That's Awarding Hackers

Press enter to search
Close search
Open Menu

The Cyber Security Plan That's Awarding Hackers

04/09/2018

Shopify's commerce platform has awarded hackers more than $850,000 in bounties for helping secure its $55 billion-plus customer transactions and data. As a commerce platform, the company helps more than a half-million merchants in 90% of the world’s countries design, set-up, and manage online stores.

“Until you have a robust set of eyes on your stuff, it’s really hard to know what you’re missing,” said Andrew Dunbar, director of Risk and Compliance at Shopify. “For companies to think their app isn’t going to have an unknown vulnerability, it’s kind of short sighted.”

Shopify launched its initial self-run, email-based bug bounty program in April 2013 with a security team of one: Andrew Dunbar. This month, Shopify celebrates the three year anniversary of its bug bounty program with a team of more than 50.

“We wanted to take advantage of the visibility and scalability that came from HackerOne,” said Dunbar. “The platform helped improve the quality of submissions. We could launch separate or limited-time programs. We got much more transparency into the report submissions and the process they went through.”

BY THE NUMBERS

In less than two years after launching the program on HackerOne, Shopify paid over $300,000 to ethical hackers. Now, after three years, Shopify has paid over $850,000 in rewards, resolved 759 vulnerabilities and has thanked over 300 hackers for their contributions.

Program Data

# of Reports Resolved*

759

Company Size

3,000+

Hackers Thanked*

300+

Customers

600,000+ merchants in 175 countries

Total Bounties Paid*

$850,000+

Total Platform Sales

$55 billion

*Program data as of 3/15/18. Total bounties paid includes the Shopify+Scripts program and the h1-415 live-hacking event 

To-date Shopify has an all-time average response time of just 3 hours on HackerOne and an average resolution time of 25 days, about 6 days faster than it takes others in the e-commerce and retail industry, according to the Hacker-Powered Security Report.

“One of the best ways for us to augment our internal security team is to work with the white-hat community,” said Tobi Lutke, CEO of Shopify. “This was a pain before HackerOne but now is significantly easier.”

PARTNERING WITH HACKERS & GROWING A TEAM

The company was seeking a robust set of eyes, and that’s exactly what it got. Shopify has thanked over 300 hackers in the last three years alone for contributing to the security of its commerce platform. Its top 10 hackers are hailing from Egypt, Canada, Germany, the United States, Greece, India and the United Kingdom:

  1. zombiehelp54
  2. supernatural
  3. brakehane
  4. bored-engineer
  5. hph
  6. suresh1c
  7. nismo
  8. coolboss
  9. mafia
  10. wkcaj

In 2017, Shopify hired one of HackerOne’s top 100 hackers, Pete Yaworski, for an in-house role on their security team (a relationship that was established at the H1-415 live-hacking event in SF). He had been working for the Ontario government as a cybersecurity specialist, but Shopify has turned out to be a perfect fit.

“At Shopify, I get to work with incredibly smart people who are driven by a larger cause,” Yaworski said. “There are real-world impacts I see as a direct result of my work, not only for Shopify but for everyone who interacts with our platform.”

WHAT’S NEXT?

The speed and efficiency that bounty programs have in finding vulnerabilities is why Dunbar has become an outspoken proponent of bug bounty programs and has been featured in many articles and interviews about the topic. Bounty programs are, according to Dunbar, a great way to get in front of an issue before a vulnerability can be exploited. And security is an issue confronting every company.

“We want to be known for being one of the most responsive companies and also pay top dollars for top findings,” Lutke added. “It should be more fun and more lucrative to make Shopify-related discoveries than (for) other companies.”

To learn more about Shopify’s bug bounty program, read the full case study or visit their program page at https://hackerone.com/shopify.