One e-commerce platform’s private bug bounty program started in Jan 2020 goes public to ethical hackers worldwide.

With increasing attention from cyberattackers and amid strict data protection rules across countries in the region, how does a popular e-commerce keep up its guard?

Since January last year, one such platform had tried out a private bug bounty program with ethical hackers to identify vulnerabilities. Now, 18 months later, that experiment has come full circle.

Regional e-commerce player Lazada has publicly announced their bug bounty partnership with YesWeHack, and the program will be made available to the entire cybersecurity community.

The firm asserts that it places a priority on security and transparency for its customers and partners, and it is walking the talk by offering security researchers up to US$10,000 per bounty.

Enhancing software development security

Since the launch of its private bug bounty program, Lazada had worked with over one hundred ethical hackers to surface vulnerabilities, with over US$150,000 awarded in bounties. This project included a pre-launch event for the public program conducted that saw hackers from the YesWeHack community identify vulnerabilities within 48 hours.

Said Alan Chan, Chief Risk Officer, Lazada Group: “Given the importance of data and personal information, (we) take great care in protecting our customers and we have worked to patch these vulnerabilities, to ensure a safe shopping platform. With the evolving nature of data security, as well as the aggressive nature of hackers who exploit technology to steal data, we believe in working with the larger cybersecurity community to strengthen our IT ecosystems.”

Chan said the program has improved the firm’s security by enhancing their Secure Software Development Process, to avoid recurrence of the same types of vulnerability. “It has been very useful to verify with the wider researchers that our security monitoring can catch exploitation of vulnerabilities,” Chan said.

Taking the program public

The firm hopes that by transferring the areas previously tested in the private program to a public program, it will be encouraging cybersecurity researchers from all over the world to add to the diversity of intellectual contributions.

Furthermore, special attention will be paid to vulnerabilities that affect personal data and are “high” or “critical” in severity. More information of the public bounty program can be found here.

“By launching this latest public bug bounty program, we are sending a clear message to everyone, that we value the importance of data in our possession. We believe in the expertise of the YesWeHack community and are excited to continue to work with ethical hackers in identifying new attack methods and countering them. This is about protecting our data, protecting our employees and protecting our customers against vulnerabilities,” says Franck Vervial, Head of Cyberdefence at Lazada.

According to Kevin Gallerin, Managing Director (APAC), YesWeHack: “The switch to a public program follows over 18 months of collaboration, during which our global community of researchers has demonstrated its effectiveness and broad spectrum of skills. By reaching out to a broader community, Lazada strengthens its security and champions transparency and data privacy and protection, to build and maintain the trust and experience of the several million users across (the region).”