Shopify Thanks Over 300 Hackers, Pays $850,000+ to Hackers in Three Years
Shopify's commerce platform has awarded hackers more than $850,000 in bounties for helping secure its $55 billion-plus customer transactions and data. As a leading commerce platform, the company helps more than a half-million merchants in 90% of the world’s countries design, set-up, and manage online stores.
“Until you have a robust set of eyes on your stuff, it’s really hard to know what you’re missing,” said Andrew Dunbar, Director of Risk and Compliance at Shopify. “For companies to think their app isn’t going to have an unknown vulnerability, it’s kind of short sighted.”
Shopify launched its initial self-run, email-based bug bounty program in April 2013 with a security team of one: Andrew Dunbar. This month, Shopify celebrates the three year anniversary of its bug bounty program with a team of more than 50.
“We wanted to take advantage of the visibility and scalability that came from HackerOne,” said Dunbar. “The platform helped improve the quality of submissions. We could launch separate or limited-time programs. We got much more transparency into the report submissions and the process they went through.”
BY THE NUMBERS
In less than two years after launching the program on HackerOne, Shopify paid over $300,000 to ethical hackers. Now, after three years, Shopify has paid over $850,000 in rewards, resolved 759 vulnerabilities and has thanked over 300 hackers for their contributions.
To-date Shopify has an all-time average response time of just 3 hours on HackerOne and an average resolution time of 25 days, about 6 days faster than it takes others in the ecommerce and retail industry, according to the Hacker-Powered Security Report.
“One of the best ways for us to augment our internal security team is to work with the white-hat community,” said Tobi Lutke, CEO of Shopify. “This was a pain before HackerOne but now is significantly easier.”
PARTNERING WITH HACKERS & GROWING A TEAM
The company was seeking a robust set of eyes, and that’s exactly what it got. Shopify has thanked over 300 hackers in the last three years alone for contributing to the security of its commerce platform. Its top 10 hackers are hailing from Egypt, Canada, Germany, the United States, Greece, India and the United Kingdom:
Thank you (and so many more) for all that you do! When Dunbar joined Shopify in 2012, he was the sole security employee for the organization. The security team has since grown to over 50, including one of the contributors to Shopify’s hacker-powered security program.
In 2017, Shopify hired one of HackerOne’s top 100 hackers, Pete Yaworski, for an in-house role on their security team (a relationship that was established at the H1-415 live-hacking event in SF). Pete had been working for the Ontario government as a cybersecurity specialist, but Shopify has turned out to be a perfect fit.
“At Shopify, I get to work with incredibly smart people who are driven by a larger cause,” Pete said. “There are real-world impacts I see as a direct result of my work, not only for Shopify but for everyone who interacts with our platform.”
The speed and efficiency that bounty programs have in finding vulnerabilities is why Dunbar has become an outspoken proponent of bug bounty programs and has been featured in many articles and interviews about the topic. Bounty programs are, according to Dunbar, a great way to get in front of an issue before a vulnerability can be exploited. And security is an issue confronting every company.
“We want to be known for being one of the most responsive companies and also pay top dollars for top findings,” Lutke added. “It should be more fun and more lucrative to make Shopify-related discoveries than (for) other companies.”