Customer Story

How pixiv built continuous global-scale security to protect creativity

Industry
Media & Entertainment
Use Cases
Exposure Management, Crowdsourced Security, Defense in Depth
Solutions
Bug Bounty, Hai
Regions
Asia Pacific
Smooth gradient background transitioning from deep navy blue on the left to bright cyan and magenta on the right

For Naoki Goto, security at pixiv is about protecting a community, not just maintaining infrastructure. As a technical lead in pixiv’s Infrastructure Unit, Naoki oversees the bug bounty program and works hands-on to ensure vulnerabilities are found and fixed before they can put creators—or the platform itself—at risk. He’s seen firsthand how undiscovered flaws can threaten pixiv’s ability to operate as a community service, and how uncovering real, high-impact vulnerabilities changed internal awareness at every level. 

For pixiv, continuous security isn’t optional; it’s what allows pixiv to keep supporting creators and sustaining the trust the community depends on.

Challenge

The Exposure Gap That Went Unnoticed

Before HackerOne entered the picture, pixiv had been investing in layered security. The team relied on internal code reviews, shared vulnerability knowledge among engineers, external vendor assessments, automated tools like SAST and dependency scanning, and a Japanese language program that launched in 2016.

Over time, however, the constraints of the regional program became clear:

Limited reach

The program was largely Japan-focused, missing global perspectives.

Difficulty attracting advanced researchers

Lower bounty ceilings made it harder to attract researcher talent, and in turn surface complex vulnerabilities.

Triage friction

Duplicate and low-quality reports consumed valuable time.

Coverage gaps

Business logic flaws and configuration issues often escaped automated testing.

As pixiv’s global footprint grew, the team needed a way to continuously uncover real-world vulnerabilities, without overwhelming internal teams or slowing innovation.

Why HackerOne

Global Expertise

pixiv partnered with HackerOne in 2018 to extend its security program beyond local and point-in-time testing. The program addressed three outcomes pixiv was looking for:

  • Surface high- and critical-impact vulnerabilities: Expand testing beyond a regional pool with global, experienced researchers who uncover complex issues across web, mobile, API, and infrastructure.
  • Keep the queue focused on what matters: Reduce invalid reports so the team can move faster on high-impact findings, with fewer follow-ups.
  • Scale continuous testing without slowing delivery: Streamline triage, researcher communication, remediation tracking, and reporting so fixes stay moving and progress stays visible.

The real change came when pixiv started seeing what had been invisible.

Before HackerOne

  • Regional coverage
  • Point-in-time testing
  • Limited critical findings

After HackerOne

  • Global, always-on researcher scrutiny
  • Continuous testing
  • Business-impact vulnerabilities surfaced and fixed faster
Solution

Continuous testing that stays on for every release

As the service was growing globally, in September 2019, Pixiv launched its public HackerOne bug bounty program, positioning it as a key element in a defense-in-depth security strategy.

Recently, Naoki’s Infrastructure Unit took ownership of operating the program, integrating it with:

  • Internal development and remediation workflows
  • Existing automated tools, including SAST and dependency scanning
  • Ongoing platform and feature releases

HackerOne became the continuous testing layer, providing immediate scrutiny when new features shipped and ongoing validation across live systems. Naoki emphasizes the value of the researcher community and platform support:

Direct communication with researchers to clarify reproduction steps and accelerate fixes.

Reporting and analytics to track severity trends and resolution timelines.

Use Hai to translate, summarize, and standardize findings so the team could move from reading to fixing.

More Time Fixing.

For Naoki, this meant less time deciphering reports and more time coordinating fixes with engineering teams. 
 

We’re often surprised on a daily basis. We frequently gain new insights into security perspectives and attack methods. Even with reports that are technically Out of Scope, they often make us realize, ‘This is a thing we also need to be thinking about.’

Impact

Discovery as a Win

Discovery itself was a win for pixiv. Through HackerOne, pixiv was finding real vulnerabilities that their earlier program and tools struggled to detect, including:

  • Infrastructure misconfigurations that exposed internal server data
  • Business logic flaws, such as IDOR issues tied to application-specific behavior
  • UI-level attack scenarios, including clickjacking with real account-level impact

These findings required contextual understanding of pixiv’s systems, user flows, and permission models—areas where automation alone falls short.

More critically, HackerOne surfaced vulnerabilities with direct business impact. Naoki noted that some of these issues had existed unnoticed for years–highlighting the unique value of continuous scrutiny from the HackerOne researcher community.

A payment bypass vulnerability

that could have caused financial loss

Credential leaks

and configuration issues in improperly managed code paths

Remote code execution

in non-sandbox environments and privilege violations equivalent to infrastructure administrative access

Cost-Effective Risk Mitigation

Because costs were incurred only when valid vulnerabilities were found, Naoki views the program as highly cost-effective compared to traditional, periodic penetration testing. From July 2018 to today, pixiv’s program stats include:

162
Validated vulnerabilities resolved to date
$137,811
Total bounties paid to date
$850
Average bounty cost per vulnerability

A Cultural Change

Throughout his tenure, Naoki observed an interesting transformation in pixiv’s security culture. Vulnerabilities weren’t just fixed—they became learning material, shared internally to strengthen future development. In turn, Naoki says HackerOne’s impact goes beyond performance metrics–it ignited a cultural shift where security was taken seriously because risk was proven, not just hypothetical. 

「脆弱性は、『きっと無い』ではなく、『目の前にあるから対策しなければならない』と社内の認識が変わりました。」

Instead of thinking ‘maybe there are no vulnerabilities,’ leadership now understands that they exist and must be addressed.

For pixiv, security is foundational to creativity itself. With HackerOne Bug Bounty, triage services, and Hai, pixiv combined global expertise with operational efficiency. Protecting over 115 million users and 150 million works from abuse and financial harm means continuously validating that trust at global scale. 

As pixiv expands globally, continuous risk reduction remains mission-critical to ensuring creators and fans can focus on what matters most: creating, sharing, and connecting.