Shopify Shares How Hackers Help to Secure $40B+ in Transactions
When Andrew Dunbar started at Shopify in 2012, he was the only security team member.
Now, in his role as Director of Risk & Compliance, he oversees a team of people, all focused on protecting the 500,000+ Shopify merchants who have done over $40B in sales to date.
Dark Reading’s Kelly Sheridan recently sat down with Andrew for a Q&A talking about Ecommerce security and their bug bounty program hosted on HackerOne.
We’ve pulled some of our favorite quotes that Andrew provided on running a successful bug bounty program.
“Shopify already has a developer community where people can create and test online stores. It [Shopify] expanded this program to add a new type of "white hat" partner, who could create stores with the same infrastructure as merchants. This provided a means for bug hunters to test vulnerabilities without affecting any of Shopify's users.”
“Start with a private program and fewer researchers so you get a sense of the types of reports you'll receive. We ran our program for about a year so we knew which reports were valid. If you go public, be ready to handle a massive surge in reports.”
“Scope is incredibly important. Make sure you know what properties are going to be in scope; which vulnerabilities you'll accept.”
Read the full article: Shopify Risk Director Talks Ecommerce, Bug Bounty Program on, DarkReading.com.
Shopify also participated in our h1-415 live-hacking event. Watch Andrew talk to us about their experience at the event held at our San Francisco headquarters