Five years ago, Shopify’s small but mighty security team began their hacker-powered security journey with HackerOne. Since then, they have paid out over $1,000,000 in bounties and resolved more than 1,150 vulnerabilities thanks to hackers.
Early on, the Shopify security team realized the significant impact white hat hackers could have in strengthening security. What started in 2013 as a self-run, email-based bug bounty program with a security team of one, has now become a fully-fledged public program with a Trust and Security team of more than 100.
To celebrate this milestone, we sat down with Pete Yaworski, Senior Application Security Engineer at Shopify to learn about their program’s top hackers, biggest lessons learned, and what’s ahead.
“Security is not a one-time thing, but a continuous cycle. We know that there are always going to be bugs in software development,” said Pete Yaworski, Senior Application Security Engineer at Shopify. “As we develop, and as we iterate, we want to make sure security is an active part of that process, and never a roadblock to innovation. The HackerOne bug bounty program allows us to put another cog in the wheel of security.”
BY THE NUMBERS
Last year, Shopify became the 5th public bug bounty program on the HackerOne platform to reach the $1,000,000 paid in bounties milestone. Along the way, they had help from 400+ unique hackers across 60+ countries. To date, they have resolved over 1,150 vulnerabilities, with the highest bounty being $25,000.
Shopify continues to attract new hackers to their program with their comprehensive scope and commitment to transparency. Shopify has been a big proponent of disclosing resolved vulnerabilities on Hacktivity. In the past 5 years, they have publicly disclosed over 450 reports for other security teams and hackers to learn from.
“Transparency is an overall net win for the broader community, and we would love to see disclosures standardized within the security community,” said Pete. “Not only are they helpful for other programs and hackers to learn from, but they act as a flag for hackers to follow-up on, to test tour fixes for bypasses. We’ve received vulnerability reports that would not have been found had we not disclosed a previous bug.”
In addition to their dedication to transparency, they have also achieved record-breaking response times. They aim to pay out eligible bounties within seven days of triage, and have an average first response time of ten hours!
TAPPING INTO THE HACKER MINDSET
The hacker community is always at the forefront of the Shopify program and they’ve built relationships through live hacking events and engagements through reports. In fact, in 2017, Shopify hired Pete Yaworski, also known as @yaworsk and one of the top hackers on HackerOne, for an in-house role on their security team, after establishing a relationship at the 2017 h1-415 live hacking event. Keeping with the company culture, the program is truly designed by hackers for hackers.
“Don’t underestimate the creativity of hackers. Everyone comes at it with a different lens, different expertise, and different experience,” shares Pete. “We don’t want to leverage the community to approach a problem in the same way we would approach a problem. Our software becomes more secure when we open it up to diverse mindsets.”
Pete and the Shopify team have noticed a few standout contributors to the program over the last 5 years, who all bring diverse skills sets to the table:
- @h13- has become the number one hacker on Shopify’s program and the team has enjoyed watching his skills evolve, and his attention to detail grow. His ability to dive into new functionality as it's been released has been impressive and unmatched.
- @zombiehelp54 has been hacking on Shopify for a long time and is one of a few hackers to have been awarded swag for his critical reports. His persistence poking at a problem until confirming a vulnerability is enviable.
- @cache-money’s ability to think creatively has impressed the team. You can tell he has a software development background with the way he approaches hacking.
- @0xacb has taken the largest bounty we’ve ever awarded. He invests his time when approaching a program and digs deep when he smells a vulnerability, which results in very impactful bugs.
- @ngalog is newer on the program but has shown great potential and a willingness to help teach others. We hope sticks with us and continues his commitment to disclosing bugs for others to learn from.
“We don't see reports as a one-time interaction, but as a single step in a long term relationship with our hackers,” said Pete. “We respect their time and are proactively working to ensure we create a positive experience for them. It’s a big win when they take the time to poke at our systems.”
LEARNINGS AND LOOKING TO THE NEXT 5 YEARS
Of course, running a bug bounty program for half a decade brings much experience and learnings to share.
First, Shopify tends to view hackers as a resource to cherish. One that provides much more value than just reporting bugs. It’s the hacker mindset, specifically their tactics and methods that can’t be easily replicated, no matter how robust an internal security effort might be.
Second, Shopify sees hacker-powered security as a means of broad and non-stop testing far beyond what any internal security team alone could accomplish. That blanket of coverage extends downstream into engineering and development, which adds another “guardrail” on the software development lifecycle.
Finally, Shopify points to transparency as beneficial to everyone, from their internal teams, to other hackers, to other bug bounty programs, and even to the technology industry in general. Specifically with disclosures, their belief is that the more everyone shares, the safer everyone will be.
As Shopify's public bug bounty program moves into its next year, the team continues its goal to improve response times, strengthen its partnership with the hacker community and continue as a top program on HackerOne. This includes finding new ways to attract hackers to the program through competitive bounties, impactful scopes and innovative means of communication.
To learn more about Shopify’s bug bounty program, visit their program page at https://hackerone.com/shopify