Trust on Both Sides: How Temu Secures Its Global Marketplace
By pairing a strong internal information security team with an elite global researcher community and professional triage, Temu extended continuous security coverage from consumer to seller without slowing down.
Temu is one of the fastest-growing global e-commerce platforms, serving millions of consumers and a rapidly expanding seller community across markets worldwide. At that scale, security underpins everything: every purchase, seller interaction, and consumer experience depends on the platform working as intended. For Temu's security team, the question was how to ensure security keeps pace the growth of the platform.
Attack Surface Expands
Temu's security program is built around a strong in-house team. The team owns the full lifecycle — system design, threat modeling, incident response — and knows how the systems work because it built them. That foundation has been independently verified — Temu's app security practices meet the Mobile Application Security Assessment (MASA) cybersecurity standard. But an internal team, however skilled, tests from the inside out. Attackers work from the outside in.
As the platform grew, so did the ground to defend. New consumer features, seller tools, product categories and markets each added systems that needed testing.
Internal testing could cover what the team knew to look for. Independent researchers around the world, each with different methods, tools, and habits, could find what it didn’t.
The team also knew what a good program looked like: once skilled researchers would choose to join, where reports moved quickly, rewards were fair, and trust held over time. The challenge was building the processes to deliver that consistently as the program grew.
An in-house team is the foundation; outside researchers add ways of thinking the team can't replicate
Every new feature and market adds systems to protect, on both sides of the marketplace
Triage friction
Duplicate and low-quality reports consumed valuable time.
Duplicate and low-quality reports consumed valuable time.
Researchers only keep participating if they trust the program — trust is a requirement, not a bonus
Continuous testing that stays on for every release
Temu evaluated external partners against a specific set of criteria:
- The quality and depth of the researcher community, not just its size
- A vetting process that would keep the internal team focused on real, confirmed issues
- The ability to pay researchers around the world quickly and in line with local rules
HackerOne’s bounty program (H1 Bounty) met that bar on all counts. The researcher community's scale and diversity complemented the coverage Temu's internal team already provided in ways that mattered. HackerOne's triage service (H1 Triage) checks each report first, filtering out duplicates and invalid submissions, so Temu's team reviews only confirmed issues rather than a raw queue.
"The most effective way to protect a platform is to combine real-world testing with rigorous internal security reviews."
The bounty program wasn't bolted on top of existing operations. It extends security work Temu already does — including app security, payment protection, and anti-phishing partnerships — and grows with the platform. The pattern is consistent: as each part of the platform matures, it opens to external testing.
In June 2025, that same logic extended coverage to seller-facing infrastructure — systems with their own account structures and business workflows. Researchers have since found complex, multi-step issues that the internal team used to sharpen its own threat modelling. As Temu’s US seller base grows, protecting those systems is part of supporting the sellers who depend on them. The principle behind the decision is one the team returns to consistently: securing a marketplace means securing both sides of the transaction.
Use Hai to translate, summarize, and standardize findings so the team could move from reading to fixing.
Discovery as a Win
Discovery itself was a win for pixiv. Through HackerOne, pixiv was finding real vulnerabilities that their earlier program and tools struggled to detect, including:
- Infrastructure misconfigurations that exposed internal server data
- Business logic flaws, such as IDOR issues tied to application-specific behavior
- UI-level attack scenarios, including clickjacking with real account-level impact
These findings required contextual understanding of pixiv’s systems, user flows, and permission models—areas where automation alone falls short.
More critically, HackerOne surfaced vulnerabilities with direct business impact. Naoki noted that some of these issues had existed unnoticed for years–highlighting the unique value of continuous scrutiny from the HackerOne researcher community.
A payment bypass vulnerability
that could have caused financial loss
that could have caused financial loss
Credential leaks
and configuration issues in improperly managed code paths
and configuration issues in improperly managed code paths
Remote code execution
in non-sandbox environments and privilege violations equivalent to infrastructure administrative access
in non-sandbox environments and privilege violations equivalent to infrastructure administrative access
Cost-Effective Risk Mitigation
Because costs were incurred only when valid vulnerabilities were found, Naoki views the program as highly cost-effective compared to traditional, periodic penetration testing. From July 2018 to today, pixiv’s program stats include:
A Cultural Change
Throughout his tenure, Naoki observed an interesting transformation in pixiv’s security culture. Vulnerabilities weren’t just fixed—they became learning material, shared internally to strengthen future development. In turn, Naoki says HackerOne’s impact goes beyond performance metrics–it ignited a cultural shift where security was taken seriously because risk was proven, not just hypothetical.
「脆弱性は、『きっと無い』ではなく、『目の前にあるから対策しなければならない』と社内の認識が変わりました。」
Instead of thinking ‘maybe there are no vulnerabilities,’ leadership now understands that they exist and must be addressed.
For pixiv, security is foundational to creativity itself. With HackerOne Bug Bounty, triage services, and Hai, pixiv combined global expertise with operational efficiency. Protecting over 115 million users and 150 million works from abuse and financial harm means continuously validating that trust at global scale.
As pixiv expands globally, continuous risk reduction remains mission-critical to ensuring creators and fans can focus on what matters most: creating, sharing, and connecting.