As one of the largest commerce platforms in the world, Shopify leads the industry when it comes to trust and security. Their long standing bug bounty program started on HackerOne in 2015 and consistently puts Shopify’s products and platform to the test, keeping their merchant and buyer data safe. The team continues to evolve their collaboration with the hacker community to boost security throughout the software development lifecycle. HackerOne partnered with Shopify for the first live hacking event of 2021, and Shopify’s third live hacking event overall.
When we asked the Shopify team what suggestions they would give to other customers looking to host a virtual live hacking event, the core suggestion would be to be prepared for a flurry of activity. Events, both virtual and in-person, truly take a village to make successful. Shopify application security engineers and product engineers were actively engaging throughout the full 10 days, along with a full HackerOne triage team. The direct communication with hackers allows for teams to establish connections and help the researchers learn and find more. Researchers are able to get deeper, faster.
“Live hacking events help us to build personal, collaborative relationships with amazing hackers." said Jenn Newton, Application Security Team Lead, Bug Bounty Program. “Through building that context on our program, hackers are able to dig deep and find truly impactful bugs. Additionally, for this event, we were able to give hackers access to closed systems which are difficult for us to test in the public program. Events provide an opportunity for creative hacking on high impact targets, in a more controlled environment. This means we can get really interesting targets in scope, that may not be feasible otherwise."
The event started on January 21, 2021 with a kickoff call to outline the event rules, program specifics, and give hackers the opportunity to ask questions before diving into a 10-day hacking period. Submissions closed on February 1, 2021 with over 30 hackers, representing seven countries, patiently waiting to watch the leaderboard payouts jump and see which hacker would climb to the top. The Shopify team was busy validating vulnerability reports and finalizing bounty payments. By Friday, February 5th, they were ready to pull back the curtain during a live stream interview hosted by @NahamSec and announce the event winners.
On that note, a huge congratulations to the h1-2102 event winners:
• 1st Place: @ngalog
• 2nd Place: @rhynorater
• Best Team Collaboration: @c0rv4x, @ramsexy, @the_arch_angel, @smsecurity
• Exterminator for the Best Bug of the Event: @ngalog
• Most Valuable Hacker: @ngalog
In addition to the HackerOne awards, Shopify had some awesome bonuses allowing hackers for even more financial opportunities. Check out these additional bonuses Shopify offered:
• Any bug with CVSS 7.0 or greater in a Treasure Map target for $2,500: @H13-, @luc1f3rhk1, @mayonaise
• Most Valid Reports in the Treasure Map for $5,000: @rhynorater
• Highest Signal for $5,000: @corb3nik
• Most Creative GraphQL Report for $2,500: Yaworski’s Broskis
• Best Show & Tell for $1,000: @intidc
• Countdown Bonus for $19,476.46: @ngalog
• Most Valid Reports in First 24hrs $5,000: @ngalog
• Shopify Sportsmanship Award for $5,000: @francisbeaudoin
• Hack for Good Bonus for $1,000: @0xacb & @fisher
With Shopify’s deep-rooted commitment to collaboration and transparency within the community, hackers were quick to form teams, including a crowd favorite named after Shopify Senior Application Security Engineer and fellow bug bounty hacker, Pete Yaworski, which included @c0rv4x, @ramsexy, @the_arch_angel, and @smsecurity. Outside of hacking, hackers @intidc and @fisher assembled a virtual hacker happy hour to take a break from hacking and have an opportunity to meet the Shopify team and fellow hackers.
“Collaboration with hackers and within the hacker community ultimately makes the internet a safer place for all,” Jenn notes. “By sharing learnings, resolved vulnerabilities, and techniques, we can all learn from each other, as hackers and security professionals. We’ve received vulnerability reports that would not have been found had we not disclosed a previous bug on HackerOne's Hacktivity.”
Another event staple is the infamous Show & Tell session. Nine hackers were invited to participate in a Show & Tell session, a closed production where hackers are given the opportunity to present their findings to the invited participants, Shopify and HackerOne. As a new feature for live events, Shopify and HackerOne issued a new “sportsmanship” bonus that highlights the hacker who consistently embodied the community spirit, routinely helped fellow hackers and participated with a high standard of professionalism. Huge kudos to @francisbeaudoin, a Shopify veteran hacker, for embodying what we admire most in our community.
“Don’t underestimate the creativity of hackers,” notes Jenn. “Everyone comes at it with a different lens, different expertise, and different experience. We don’t want to leverage the community to approach a problem in the same way we would approach a problem. Our software becomes more secure when we open it up to diverse mindsets.”
With over 80 unique valid submissions, about half of which being medium or high severity, Shopify was able to remediate risk before products were widely available. This event along with their ongoing bug bounty program continues to keep their merchant and buyer data safe. Thank you to the Shopify team for their hard work on this event and to all the amazing hackers who participated and submitted great reports.