Five years ago, Shopify’s small but mighty security team began their hacker-powered security journey with HackerOne. Since then, they have paid out over $1,000,000 in bounties and resolved more than 1,150 vulnerabilities thanks to hackers.
Early on, the Shopify security team realized the significant impact white hat hackers could have in strengthening security. What started in 2013 as a self-run, email-based bug bounty program with a security team of one, has now become a fully-fledged public program with a Trust and Security team of more than 100.
To celebrate this milestone, we sat down with Pete Yaworski, Senior Application Security Engineer at Shopify to learn about their program’s top hackers, biggest lessons learned, and what’s ahead.
“Security is not a one-time thing, but a continuous cycle. We know that there are always going to be bugs in software development,” said Pete Yaworski, Senior Application Security Engineer at Shopify. “As we develop, and as we iterate, we want to make sure security is an active part of that process, and never a roadblock to innovation. The HackerOne bug bounty program allows us to put another cog in the wheel of security.”
BY THE NUMBERS
Last year, Shopify became the 5th public bug bounty program on the HackerOne platform to reach the $1,000,000 paid in bounties milestone. Along the way, they had help from 400+ unique hackers across 60+ countries. To date, they have resolved over 1,150 vulnerabilities, with the highest bounty being $25,000.
Shopify continues to attract new hackers to their program with their comprehensive scope and commitment to transparency. Shopify has been a big proponent of disclosing resolved vulnerabilities on Hacktivity. In the past 5 years, they have publicly disclosed over 450 reports for other security teams and hackers to learn from.
“Transparency is an overall net win for the broader community, and we would love to see disclosures standardized within the security community,” said Pete. “Not only are they helpful for other programs and hackers to learn from, but they act as a flag for hackers to follow-up on, to test tour fixes for bypasses. We’ve received vulnerability reports that would not have been found had we not disclosed a previous bug.”
In addition to their dedication to transparency, they have also achieved record-breaking response times. They aim to pay out eligible bounties within seven days of triage, and have an average first response time of ten hours!
TAPPING INTO THE HACKER MINDSET
The hacker community is always at the forefront of the Shopify program and they’ve built relationships through live hacking events and engagements through reports. In fact, in 2017, Shopify hired Pete Yaworski, also known as @yaworsk and one of the top hackers on HackerOne, for an in-house role on their security team, after establishing a relationship at the 2017 h1-415 live hacking event. Keeping with the company culture, the program is truly designed by hackers for hackers. 
“Don’t underestimate the creativity of hackers. Everyone comes at it with a different lens, different expertise, and different experience,” shares Pete. “We don’t want to leverage the community to approach a problem in the same way we would approach a problem. Our software becomes more secure when we open it up to diverse mindsets.”
Pete and the Shopify team have noticed a few standout contributors to the program over the last 5 years, who all bring diverse skills sets to the table:
“We don’t see reports as a one-time interaction, but as a single step in a long term relationship with our hackers,” said Pete. “We respect their time and are proactively working to ensure we create a positive experience for them. It’s a big win when they take the time to poke at our systems.”
LEARNINGS AND LOOKING TO THE NEXT 5 YEARS
Of course, running a bug bounty program for half a decade brings much experience and learnings to share.
First, Shopify tends to view hackers as a resource to cherish. One that provides much more value than just reporting bugs. It’s the hacker mindset, specifically their tactics and methods that can’t be easily replicated, no matter how robust an internal security effort might be.
Second, Shopify sees hacker-powered security as a means of broad and non-stop testing far beyond what any internal security team alone could accomplish. That blanket of coverage extends downstream into engineering and development, which adds another “guardrail” on the software development lifecycle.
Finally, Shopify points to transparency as beneficial to everyone, from their internal teams, to other hackers, to other bug bounty programs, and even to the technology industry in general. Specifically with disclosures, their belief is that the more everyone shares, the safer everyone will be.
As Shopify’s public bug bounty program moves into its next year, the team continues its goal to improve response times, strengthen its partnership with the hacker community and continue as a top program on HackerOne. This includes finding new ways to attract hackers to the program through competitive bounties, impactful scopes and innovative means of communication.
instocksu fullzsalesu