Customer Story

Trust on Both Sides: How Temu Secures Its Global Marketplace

By pairing a strong internal information security team with an elite global researcher community and professional triage, Temu extended continuous security coverage from consumer to seller without slowing down.

Industry
Media & Entertainment
Use Cases
Exposure Management, Crowdsourced Security, Defense in Depth
Solutions
H1 Bounty, Hai, Hai Triage
Regions
Asia Pacific
Smooth gradient background transitioning from deep navy blue on the left to bright cyan and magenta on the right

Temu is one of the fastest-growing global e-commerce platforms, serving millions of consumers and a rapidly expanding seller community across markets worldwide. At that scale, security underpins everything: every purchase, seller interaction, and consumer experience depends on the platform working as intended. For Temu's security team, the question was how to ensure security keeps pace the growth of the platform. 

Challenge

Attack Surface Expands

Temu's security program is built around a strong in-house team. The team owns the full lifecycle — system design, threat modeling, incident response — and knows how the systems work because it built them. That foundation has been independently verified — Temu's app security practices meet the Mobile Application Security Assessment (MASA) cybersecurity standard. But an internal team, however skilled, tests from the inside out. Attackers work from the outside in.

As the platform grew, so did the ground to defend. New consumer features, seller tools, product categories and markets each added systems that needed testing. 

Internal testing could cover what the team knew to look for. Independent researchers around the world, each with different methods, tools, and habits, could find what it didn’t.

The team also knew what a good program looked like: once skilled researchers would choose to join, where reports moved quickly, rewards were fair, and trust held over time. The challenge  was building the processes to deliver that consistently as the program grew. 

An in-house team is the foundation; outside researchers add ways of thinking the team can't replicate

Every new feature and market adds systems to protect, on both sides of the marketplace

Triage friction

Duplicate and low-quality reports consumed valuable time.

Researchers only keep participating if they trust the program — trust is a requirement, not a bonus

Solution

Continuous testing that stays on for every release

Temu evaluated external partners against a specific set of criteria: 

  • The quality and depth of the researcher community, not just its size
  • A vetting process that would keep the internal team focused on real, confirmed issues
  • The ability to pay researchers around the world quickly and in line with local rules

HackerOne’s bounty program (H1 Bounty) met that bar on all counts. The researcher community's scale and diversity complemented the coverage Temu's internal team already provided in ways that mattered. HackerOne's triage service (H1 Triage) checks each report first,  filtering out duplicates and invalid submissions, so Temu's team reviews only confirmed issues rather than a raw queue.

"The most effective way to protect a platform is to combine real-world testing with rigorous internal security reviews."

The bounty program wasn't bolted on top of existing operations. It extends security work Temu already does — including app security, payment protection, and anti-phishing partnerships —  and grows with the platform. The pattern is consistent: as each part of the platform matures, it opens to external testing. 

In June 2025, that same logic extended coverage to seller-facing infrastructure — systems with their own account structures and business workflows. Researchers have since found complex, multi-step issues that the internal team used to sharpen its own threat modelling. As Temu’s US seller base grows, protecting those systems is part of supporting the sellers who depend on them. The principle behind the decision is one the team returns to consistently: securing a marketplace means securing both sides of the transaction. 

Use Hai to translate, summarize, and standardize findings so the team could move from reading to fixing.

Impact

Discovery as a Win

Discovery itself was a win for pixiv. Through HackerOne, pixiv was finding real vulnerabilities that their earlier program and tools struggled to detect, including:

  • Infrastructure misconfigurations that exposed internal server data
  • Business logic flaws, such as IDOR issues tied to application-specific behavior
  • UI-level attack scenarios, including clickjacking with real account-level impact

These findings required contextual understanding of pixiv’s systems, user flows, and permission models—areas where automation alone falls short.

More critically, HackerOne surfaced vulnerabilities with direct business impact. Naoki noted that some of these issues had existed unnoticed for years–highlighting the unique value of continuous scrutiny from the HackerOne researcher community.

A payment bypass vulnerability

that could have caused financial loss

Credential leaks

and configuration issues in improperly managed code paths

Remote code execution

in non-sandbox environments and privilege violations equivalent to infrastructure administrative access

Cost-Effective Risk Mitigation

Because costs were incurred only when valid vulnerabilities were found, Naoki views the program as highly cost-effective compared to traditional, periodic penetration testing. From July 2018 to today, pixiv’s program stats include:

162
Validated vulnerabilities resolved to date
$137,811
Total bounties paid to date
$850
Average bounty cost per vulnerability

A Cultural Change

Throughout his tenure, Naoki observed an interesting transformation in pixiv’s security culture. Vulnerabilities weren’t just fixed—they became learning material, shared internally to strengthen future development. In turn, Naoki says HackerOne’s impact goes beyond performance metrics–it ignited a cultural shift where security was taken seriously because risk was proven, not just hypothetical. 

「脆弱性は、『きっと無い』ではなく、『目の前にあるから対策しなければならない』と社内の認識が変わりました。」

Instead of thinking ‘maybe there are no vulnerabilities,’ leadership now understands that they exist and must be addressed.

For pixiv, security is foundational to creativity itself. With HackerOne Bug Bounty, triage services, and Hai, pixiv combined global expertise with operational efficiency. Protecting over 115 million users and 150 million works from abuse and financial harm means continuously validating that trust at global scale. 

As pixiv expands globally, continuous risk reduction remains mission-critical to ensuring creators and fans can focus on what matters most: creating, sharing, and connecting.