How Deriv Cut Bug Bounty Response Time from Hours to Minutes
Deriv is a global online trading platform operating 24/7 in a highly regulated financial environment where security shapes customer trust. Since launching its HackerOne bug bounty program in 2015, Deriv has treated every vulnerability report as a potential zero-day. Speed, context, and researcher engagement matter at every stage.
When Dave Usher joined as VP of Security Engineering, the bug bounty program had already reached a high level of maturity. He saw an opportunity to extend its impact by improving how the team consumed, assessed, and acted on reports without changing the core model that made the program successful. The goal was simple: Respond faster, reduce friction, and scale operations without compromising the program’s core strengths.
Challenge2
Deriv receives high-quality vulnerability reports that include detailed write-ups, attachments, metadata, and researcher communication through HackerOne. Hai, HackerOne’s AI system, adds structured insights to each report. Internally however, Deriv uses Slack to support real-time collaboration and communication across teams.
During high-volume periods, such as running a bounty campaign, several challenges surfaced:
Increased volume slowed initial assessment and prioritization
The 24/7 nature of the platform introduced off-hours challenges
Delayed feedback risked researcher engagement and program reputation
Analysts spent time parsing low-signal reports instead of focusing on impact
Deriv needed a faster way to act on HackerOne reports without adding friction or new tools.
“Without a more scalable workflow, backlog and response delays were real risks. Security never sleeps, yet our processes weren’t built for the always‑on nature of Deriv’s business. It just wasn’t enough - I wanted to bring our mean time to respond down and make it unambiguous when something demanded immediate action.” - Dave Usher, VP of Security Engineering