HackerOne

3 Bug Bounty Lessons From Retail & eCommerce Customers

retail and ecommerce cybersecurity

Security vulnerabilities do not discriminate by industry, but every industry is affected differently by the bad actors and vulnerability types they attract. In retail and eCommerce, for example, reflected cross-site scripting makes up 13% of all vulnerabilities found on the HackerOne platform, compared to only 10% across all industries. 

How do security vulnerabilities uniquely impact the retail and eCommerce space, and how can retail and eCommerce organizations use ethical hackers to mitigate risk? We spoke with several HackerOne customers in retail and eCommerce to provide insights unique to their industry.

1. Diverse Skillsets and Creativity

Security professionals in retail and eCommerce leverage the diverse skillsets and creativity of ethical hackers to identify and remediate the wide range of attacks the industry faces.

“The creativity of hackers is key to hardening our attack surface. When we receive a creative proof of concept (POC) from a hacker, we can use that process to review and verify that the specific vulnerability (or a similar one) is not reproducible on new assets. This approach gives us insights into where potential vulnerabilities might be and led us to introduce new cross-checking activities as part of the investigation and remediation process to verify a single risk on multiple components, such as inherited code into new assets.”
— Feliks Voskoboynik, CISO, AS Watson

“Bug bounty programs provide companies a way to connect with a global talent pool of security researchers who serve as an extension of the company’s security team and can be available at all times to find and report vulnerabilities in exchange for bounty payments and reputation. This constructive collaboration allows companies to tap into subject matter experts at any given time, with the end goal of making the internet safer for all of us.”
— Alejandro Federico Iacobelli, Application Security Director, Mercado Libre

“The speed at which new vulnerabilities can arise is challenging for any company to keep up with. The researchers we have worked with are subject matter experts on these vulnerabilities and have found ways to quickly test and report them. Their skill and talent help us reduce risk because speed matters. We want vulnerabilities to be found and fixed before they can be exploited, and we’ve been able to accomplish this with help from researchers.”
— James Johnson, CISO, John Deere

2. Actionable Insights

Retail and eCommerce organizations not only receive high levels of vulnerability insights unique to their industry, but are also able to transform those insights into improvement actions, from SDLC refinement to training programs.

“The vulnerability insights from our bug bounty program have enabled us to find improvement opportunities throughout the security development lifecycle (SDLC) and proactively reduce vulnerabilities like XSS by 98%.”
— Alejandro Iacobelli, Application Security Senior Manager, Mercado Libre

“Specific findings of hackers enabled us to build a new secure code training program for our development teams. We monitor the trends of vulnerabilities and leverage them to build a training baseline to reduce the risks to our assets. The training program has helped us increase the quality of the code and reduce vulnerabilities. It’s also increased our prevention capabilities by shifting left as much as possible to secure the SDLC. We noticed a decrease in total valid reports over the years, and we lowered costs remediating issues in live environments.”
— Feliks Voskoboynik, CISO, AS Watson

3. Scale

As organizations grow, so does the risk of security vulnerabilities. These retail and eCommerce organizations tap into the extensive pool of security researchers to support and scale their growth.

“As our eCommerce business grows, we need to scale our reactive security strategy across a growing attack surface so we can meet customer needs, ensure privacy, adhere to compliance regulations, and deliver our software as securely as possible. We needed a partner like HackerOne, to bring a community of security researchers that provide diverse vulnerability insights across our digital assets to help us maximize our efforts.”
— Alejandro Iacobelli, Application Security Senior Manager, Mercado Libre

“HackerOne has advanced our levels of cybersecurity across AS Watson. Our program continues to grow, and HackerOne has helped us identify and prioritize where our focus needs to be. Over the years, we have recognized an extensive amount of new vulnerabilities and high-risk issues that have improved the overall security posture of our internet-facing assets and have strengthened our cybersecurity program.”
— Besmir Marku, Head of Technology and Application Security, AS Watson

If you’re ready to learn more about how your retail or eCommerce organization can harness the power of ethical hackers and bug bounty, contact HackerOne today.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image