Zomato’s First Anniversary with Bug Bounties: Q&A with Security Lead, Prateek Tiwari

Headquartered in India - restaurant discovery, online ordering and table reservations platform Zomato currently operates in 24 countries; including the United States, Australia, United Kingdom, Canada, India, Turkey, UAE, Qatar, Portugal, South Africa, New Zealand, and more. It’s security team, lead by Prateek Tiwari, is tasked with protecting sensitive information for over 55 million unique monthly visitors. This month, Zomato is celebrating the first anniversary of its bug bounty program. Since launching in July 2017, the company has paid out over $100,000 to over 350 hackers for their efforts, all while maintaining an average response time of 4 hours — now that’s fast! To mark the moment, Zomato’s security team also awarded its top hacker, @Gerben_Javado, a $1,500 bonus for his contributions over the past year.

We recently caught up with Prateek to celebrate the milestone and give you a chance to learn more about Zomato’s approach to bug bounties and security. Check out the full Q&A below: 

One year of hacker-powered security! What have the results been to date? Any notable milestones?
Thanks to HackerOne and the committed community, the results have been outstanding and have far exceeded our expectations. Since launching the program, we have received over 350 valid vulnerability reports, and 120 hackers have earned a cumulative $102,150 for the medium to high risk vulnerabilities they reported.

Our security and engineering teams have grown and matured so much as well over the last year. With help from the hacker community through the bug bounty program, we have also improved a lot of processes and standards, empowering us to improve our performance and consistency at scale. We had one goal at the beginning of the program - make Zomato more secure. Thanks to the community, with every single report resolved, we're getting closer to this goal.

Looking back, what factors contributed most to the success of the program?
It’s crucial to maintain a great relationship with the hacker community. Our team prioritized response time for that reason. Specifically, Shrey and Vinoth from our team did a great work in validating the submissions and bringing them to our engineering team to address them quickly. Bounties are important, but timely responses to hackers and keeping them informed at every step is critical to keep hackers engaged and loyal to the program. HackerOne also played a crucial role in cutting down the noise so we could focus only on the valid issues.

Do you have a favorite hacker story or report that stands out since starting the program?
@Gerben_Javado stands out for his impressive vulnerability reports. One of his most interesting reports was one where he escalated a very important vulnerability in our Android app  - it wasn’t easy to find. His work truly demonstrates creative thinking and persistence, and we are blessed to have such brilliant ethical hackers on the HackerOne platform.
 
We have also recently received few quality submissions from @bagipro for vulnerabilities on our apps.

What advice would you give others starting their programs now?
Be prepared. At the launch of the program, there will be a swarm of reports. Consider an internal audit first to clear up as much low hanging fruit as possible. You'll have to deal with a bit of noise, but good reports will compensate for the bad ones. Defining the scope of the program pre-launch is also critical. It gives a clear picture to hackers of what vulnerability reports are accepted versus what aren't.

Creating a good relationship and clear process with the engineering team is also important for resolving reports in timely manner. Finally, keep your response times consistently low. As a program owner, you must ensure that hackers are appreciated for their work. Shorter the response times = Motivated Hackers + Great Reports.

India commands a large percentage of the hacker community. Yet, there are few companies in India that have adopted bug bounty programs. Why do you think that is?
I think that's changing rapidly. Indian companies have matured from a security perspective in recent years — most of them have started Vulnerability Disclosure Programs (VDPs). Times are changing, and we will soon see a lot of companies getting more proactive towards cybersecurity. As a result, I think there will be more bug bounty programs in India in the years to come.

What’s next for Zomato’s bug bounty program?
There are loads of things in the pipeline, keep an eye on our Policy changes. Our Apps were also recently added to Google Play Security Reward Program, so hackers can earn additional bounties if they find vulnerabilities in our apps. Other updates in the pipeline include: payments on triage, reward increases, and swag (who doesn't loves Swag?).

Thanks to all the hackers that have participated in the program to-date. Our bug bounty program with HackerOne will continue to evolve as we strive to strengthen our relationship with the hacker community with every report.

Check out their program and get hacking here: https://hackerone.com/zomato/.

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.