Planning a Bug Bounty Program? Follow Shopify's ExampleFour years, $1 million in payouts, and the identification of 950 bugs later, Shopify provides an excellent example for organizations looking to launch their own programs.
In early April, Shopify announced the company had paid out over $1 million in bounty payments since launching its bug bounty program in April 2015. The program has helped protect more than 800,000 businesses by resolving over 950 potential vulnerabilities.
With more than 700 reports awarded, the program has been highly successful. Last year was the company's most impressive year to date, with the total amount paid to hackers increasing to $155,750.
"Bug bounty programs complement Shopify's security strategy and allow us to leverage a community of thousands of researchers to enhance our platform," says Pete Yaworski, application security engineer at Shopify.
Whether you are thinking about running your own program, starting with a private program, or partnering with a platform to launch a public program, here are some lessons from Shopify that could help you in the process of launching your own program.
'Opportunity to Expand'
Though Shopify currently runs a public bounty program, the company ran its own program for about two years before partnering with HackerOne. Yaworski says those two years were extremely informative: Running a private program on its own allowed Shopify to get its feet wet and test things out.
"We found some of the partners who were leveraging our APIs to develop their own apps to extend the platform and recognized the value in having a dedicated channel. After the two-year mark, we had the opportunity to expand, not just with partners and niche hackers, but to expand within the global hacker community," Yaworski says.
But the company also had to overcome some challenges in the process of preparing for, launching, and improving on its bug bounty program; transitioning wasn't without its hiccups. For example, when Shopify took its bug bounty program public, it had a huge influx of reports that the company wasn't exactly prepared for, according to Yaworski. "We knew there would be an influx, but we didn't anticipate the extent, and we only had one person triaging," he says.
In addition, while there was "significant" buy-in at the top level – "including engineering support, which is critical because bounties that come in need to be fixed," Yaworski says – they failed to convey what they were doing to their support teams.
"We had hackers testing support and submitting hacking payloads, but the support team didn’t know what was happening, so that really tied up their bandwidth," he says.
In hindsight, Yaworski says these obstacles could have been prevented if leadership had been better about conveying what they were doing at all levels across the company; now they are doing more security presentations internally in order to level up knowledge. Additionally, he noted, leadership could have done a better job of identifying what they wanted tested and not tested.
In its current program, Shopify clearly delineates what are acceptable and not acceptable submissions. It notes on its online policy page: "Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward. For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated."
Along its learning curve, Shopify discovered that defaulting to disclosure – meaning the contents of resolved reports are publicly disclosed within 30 days – was important to its program. "We ask the community of hackers to disclose. If they agree, it becomes public for everyone to read," Yaworski says.
Value of Relationships
The program has proved to be a complement to Shopify's existing security team, who is focused on compliance auditing and routine pen testing. Even with the best security team, "Bugs are going to slip through the cracks," Yaworski says. "Partnering with hackers around the world ensures round-the-clock testing so that those inadvertent slip-ups are caught."
Perhaps the greatest insight gained from the program is the value of building relationships with a global community of hackers. "We are able to leverage their expertise and go deep. Because we are able to keep people coming back, they can level up in their knowledge and test systems that might not have been apparent when they first came in," Yaworski says.
While a bug bounty program is not a silver bullet, Shopify has evidenced through its program the great value in being proactive and incentivizing hackers to create a library of knowledge from which the greater community can continue to learn.
Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio