- Program Data
# of Reports Resolved*
600,000+ merchants in 175 countries
Total Bounties Paid*
Total Platform Sales
*Program data as of 3/15/18. Total bounties paid includes the Shopify+Scripts program and the h1-415 live-hacking event
To-date Shopify has an all-time average response time of just 3 hours on HackerOne and an average resolution time of 25 days, about 6 days faster than it takes others in the e-commerce and retail industry, according to the Hacker-Powered Security Report.
“One of the best ways for us to augment our internal security team is to work with the white-hat community,” said Tobi Lutke, CEO of Shopify. “This was a pain before HackerOne but now is significantly easier.”
PARTNERING WITH HACKERS & GROWING A TEAM
The company was seeking a robust set of eyes, and that’s exactly what it got. Shopify has thanked over 300 hackers in the last three years alone for contributing to the security of its commerce platform. Its top 10 hackers are hailing from Egypt, Canada, Germany, the United States, Greece, India and the United Kingdom:
In 2017, Shopify hired one of HackerOne’s top 100 hackers, Pete Yaworski, for an in-house role on their security team (a relationship that was established at the H1-415 live-hacking event in SF). He had been working for the Ontario government as a cybersecurity specialist, but Shopify has turned out to be a perfect fit.
“At Shopify, I get to work with incredibly smart people who are driven by a larger cause,” Yaworski said. “There are real-world impacts I see as a direct result of my work, not only for Shopify but for everyone who interacts with our platform.”
The speed and efficiency that bounty programs have in finding vulnerabilities is why Dunbar has become an outspoken proponent of bug bounty programs and has been featured in many articles and interviews about the topic. Bounty programs are, according to Dunbar, a great way to get in front of an issue before a vulnerability can be exploited. And security is an issue confronting every company.
“We want to be known for being one of the most responsive companies and also pay top dollars for top findings,” Lutke added. “It should be more fun and more lucrative to make Shopify-related discoveries than (for) other companies.”
To learn more about Shopify’s bug bounty program, read the full case study or visit their program page at https://hackerone.com/shopify.