How Snap, Shopify, and Helvetia Achieved Continuous Security Validation

The Challenge: 

As Snap built and deployed generative AI features, including Lens and MyAI Text2Image, the company needed to know what could go wrong before users and bad actors found out. Traditional security testing had no playbook for this.Automated scanners couldn't think like adversaries. Internal teams couldn't simulate the creative range of real-world attack attempts. 

Snap needed a way to probe AI systems for both safety failures (generating harmful content) and security failures (compromising confidentiality, integrity, or availability), at a scale and diversity that internal resources alone couldn't provide.

The Solution: 

• Snap partnered with HackerOne to build one of the first enterprise AI red teaming programs of its kind. Using CTF-style exercises, Snap engaged 21 researchers from around the world, selected specifically for the diversity of perspective they'd bring to identifying harmful content and novel exploits.

• Hai, HackerOne’s coordinated system of AI agents, translated researcher submissions across seven European languages in real time, enabling global collaboration without communication friction. Bounties were dynamically adjusted across more than 100 flags to optimize researcher engagement and push beyond expected findings.

The Outcome: 

Snap surfaced previously unknown vulnerabilities in its generative AI systems that adversarial datasets and automated tools had missed. The safety benchmarks developed through this process have since become a reference point for harmful content testing across the tech industry. After a decade of partnership and $1M in bounties paid, Snap continues to push the program into new territory, including hardware products and LLM agent simulations.

"AI red teaming allows us to explore the possibilities of what attackers might achieve, not just what's likely. Working with HackerOne has shown us that human ingenuity often outperforms adversarial datasets or AI-generated attacks." 

—Ilana Arbisser, Technical Lead, AI Safety at Snap Inc.

The Challenge:

Shopify's bug bounty program was producing results, but the program was being stretched thin. Fewer than ten analysts were responsible for reviewing hundreds of vulnerability reports every week. 

As Shopify's engineering teams integrated AI deeper into development, reports became longer, more technical, and harder to triage consistently. Analysts spent hours rereading verbose submissions, manually checking years of historical precedent to ensure consistent scoring, and chasing unclear reproduction steps. Onboarding a new analyst took close to eight months. Inbox zero was a distant goal.

The problem wasn't a lack of commitment. It was a human scalability problem that no additional headcount alone could solve.

The Solution: 

Rather than replacing analysts, Shopify introduced agentic AI to handle the most repetitive and cognitively draining parts of the triage workflow. 

• Powered by Hai, HackerOne’s coordinated system of AI agents, the system performed first-pass analysis on every inbound report: distilling longer submissions to their essential finding, flagging similar historical reports, surfacing inconsistencies in scoring, and identifying where additional clarification was needed. Analysts could then focus their judgment on the technical questions that actually required it.

• AI also doubled as an onboarding tool, giving new team members instant access to institutional knowledge that previously took months to accumulate. The result was continuous security validation at a volume and pace the team couldn't have sustained manually.

The Outcome:

The program reached inbox zero for the first time in months. Validation, reproduction, and researcher communication improved by 62%. Analyst onboarding time dropped from roughly eight months to four. And as report volume continued to climb, response efficiency held steady rather than degrading. For the team, the deeper benefit was less tangible but just as real: the work became sustainable.

"The tool can tell us, 'Here's the one line we should tease out,' instead of us spending hours stuck in the pile of reports." 

—Jill Moné-Corallo, Bug Bounty Program Lead at Shopify

The Challenge:

Helvetia Group, one of Switzerland's largest insurance companies, had a solid internal security posture. But as the company's digital footprint grew across Germany, Austria, Spain, Italy, and France, the limitations of traditional penetration testing became harder to ignore.

Testing happened at fixed intervals, leaving long windows where newly introduced risk went undetected. Scope was restricted, meaning whole categories of assets sat outside regular review. Manual triage workflows slowed the team's ability to act on what they did find. And scaling internal security efforts to match a growing ecosystem wasn't sustainable.

The gap wasn't visible in audit reports, but then showed up in what wasn't being found.

The Solution:

Helvetia chose HackerOne for its global researcher community, proven enterprise track record, and platform capabilities built around continuous discovery. 

• A private bug bounty program with H1 Bounty brought ongoing researcher-led testing across a scope that internal teams couldn't cover alone.

• Time-bound H1 Bounty Challenge gave Helvetia a way to surge testing around high-impact product launches. 

• Hai streamlined triage by assigning credibility scores to incoming reports, comparing them against historical submissions, and surfacing severity and bounty recommendations, freeing the security team to focus on the decisions that required human judgment.

• H1 Analytics & Intelligence dashboards gave leadership the visibility they needed to allocate resources and report progress across jurisdictions.

The Outcome:

Researchers surfaced logic flaws and complex chained vulnerabilities that automated tools had missed, shifting Helvetia from fixed-cycle testing to continuous security validation across their systems. Hai cut manual triage workload, accelerated response times, and freed the team to focus on strategic priorities. The ROI goes beyond breach prevention to stronger security culture and a program that scales with the business.

"Continuous testing by a global community gave us insights that traditional methods simply couldn't. It's like having a 24/7 security lens on our systems."

—Ulrich Winterer, Information Security Officer at Helvetia