When thinking about bug bounty customers, most people's minds will most likely go to huge tech brands long before they go to their local coffee chain. Customer loyalty is serious business though with Costa Coffee being the latest food and beverage company to ask the hacker community to help secure its loyal customers’ data.
As the coffee chain prepares for global expansion, Costa Coffee joins the likes of Hyatt, Deliveroo, and Zomato in launching its first private bug bounty program. Costa Coffee will shore up its digital defenses using the combined expertise and experience of HackerOne’s hacker community.
We interviewed Matt Adams, Global Security Architect at Costa Coffee, about his approach to hacker-powered security.
What led Costa to decide to start a bug bounty program?
We see bug bounty as a key addition to our existing security testing capabilities, which also includes an established pentesting program. However, the ability to access a wide variety of hackers, each bringing their unique approach and tactics to our program, will enable us to efficiently scale our testing activities. This is critical during our pursuit of an ambitious global growth plan.
The opportunity for continuous testing that a bug bounty program provides also aligns with our increasing adoption of agile development practices and CI/CD pipelines. Our vision for the program is that it will enable our security testing processes to move at the same rapid pace as our development teams. As we grow and scale, we can be confident that the bug bounty program will provide us with real time testing and feedback, allowing us to innovate and push new products both quickly and securely.
How does the bug bounty program fit into Costa’s wider security strategy?
Launching this bug bounty program is part of a multi-year security transformation program that Costa Coffee has initiated in order to increase our organization’s security maturity levels and enable us to respond to the changing threat landscape.
As this is a new initiative for Costa Coffee, it was important for us to engage a trusted provider in order to help to build confidence in the bug bounty concept, and one that we were confident would deliver a successful program. As the leading bug bounty platform, HackerOne was the obvious choice.
What’s in scope for the program?
Our initial scope will include our UK and Polish loyalty platforms, which are accessible via websites and mobile apps. These are customer-facing assets that process personal data relating to our 'Coffee Club' loyalty program. However, our intention is that we will expand the scope of the program over the next 6-12 months to include all of our public-facing assets (i.e. websites and mobile apps) across multiple international markets.
What vulnerabilities is Costa Coffee most interested in receiving?
We are most interested in surfacing those that have the potential to expose our customer's data or tarnish our brand.
For more information about how you can also benefit from a bug bounty program, visit hackerone.com/product/bounty.