Retail Fortune 500 company strengthens product and data security
By combining VDP + private bug bounty programs with trusted researchers and automation, the company accelerates remediation and strengthens product and data security at scale.
Trust at scale amid growing attack surfaces
The digital evolution of the company’s products and services introduced new cybersecurity challenges, from expanding attack surfaces to managing increasingly complex data environments.
To scale their efforts, the security team needed a way to bring trusted external researchers into their process, reduce the time to identify and resolve vulnerabilities, and build a scalable culture of security across product teams.
External expertise at scale
Bring trusted researchers into the process to expand coverage across a fast-growing digital footprint.
Bring trusted researchers into the process to expand coverage across a fast-growing digital footprint.
Faster discovery to fix
Reduce time to identify and remediate vulnerabilities so risks are closed before they’re exploited.
Reduce time to identify and remediate vulnerabilities so risks are closed before they’re exploited.
Security culture, everywhere
Embed consistent, scalable security practices across product teams without slowing delivery.
Embed consistent, scalable security practices across product teams without slowing delivery.
Their program on HackerOne
The company introduced its VDP in 2020 and expanded to a private bug bounty with HackerOne in 2022. Since launch, the VDP has resolved 225 reports, thanked 162 researchers, and added 1,720 assets to scope. Today, both programs operate in tandem to proactively identify and remediate vulnerabilities across their digital ecosystem.
Researchers are empowered to test across the company’s full product portfolio, including mobile apps, web assets, and connected equipment. In return, the team provides clear scopes, prompt feedback, and respectful collaboration.
“Their bug bounty program is world-class,” said Archangel, a top HackerOne researcher. “They value our input and care about security across their entire ecosystem.”
The company also uses HackerOne’s AI security agent, Hai, to streamline communication and speed up decision-making. The team uses it to summarize reports, write more professional messages to researchers, suggest severity levels, and justify bounty amounts based on real context rather than static scores. Hai helps the team respond faster and more confidently in day-to-day workflows.
From insight to outcomes
By integrating insights from HackerOne researchers into its Security by Design program, the company is also upskilling internal teams and shifting security left in the development lifecycle. They use benchmarks to track progress against industry peers, helping identify areas for improvement and reinforcing executive confidence in the program’s impact.
- 2,500+ valid vulnerability submissions
- Grown from fewer than 100 to hundreds of vetted security researchers
- <20-minute response time for phishing detection with AI-powered tools
From strong to stronger: what’s next
The company is continuing to mature its VDP and is exploring the expansion of bounty offerings. They also remain focused on scaling secure development practices, supporting early-career talent, and leveraging automations and AI to accelerate threat detection and response.
