- Since 2001, labored with over 45k moral hackers to detect flaws
- Voluntarily disabled some safety mechanisms for collaborating researchers
Southeast Asia’s main eCommerce platform Lazada has concluded its newest stay bug bounty with YesWeHack, a number one world Bug Bounty and Vulnerability Disclosure Coverage (VDP) Platform. The 2-day stay bug bounty program, which was held on the Hack In The Field Safety Convention (HITBSecCONF 2022), resulted in 115 vulnerability reviews being submitted by the a number of dozen researchers current on the occasion, together with among the greatest safety researchers on the earth.
After operating a profitable two-year Bug Bounty program with YesWeHack, Lazada scaled this system to the following stage this yr through the HITBSecCONF 2022. The occasion allowed Lazada to check their purposes over the given time period, whereas having the ability to meet with researchers to trade on the discoveries—thus giving Lazada unique insights to the vulnerabilities discovered.
Lazada wished to make use of this stay occasion as a chance to attain in-depth safety. To allow this, the corporate voluntarily disabled quite a few safety mechanisms for collaborating researchers and just for the interval of the occasion, permitting them to extensively check the methods and purposes. For example, researchers have been capable of bypass Net Utility Firewalls (WAF) all through the size of the occasion—permitting them to hack into the eCommerce platform’s websites and providers immediately. Lazada selected to disable WAFs, on account of the truth that, whereas it is ready to block most assaults, it is usually not infallible. Along with WAFs, Lazada additionally disabled different safety options which are sometimes used as a primary line of protection, in order to supply hackers the prospect to check their utility in higher depth.
“Carrying out a stay program on this scale demonstrates Lazada’s dedication to safety and progressive stance in the direction of bug bounties. By participating with the broader neighborhood, the eCommerce service is putting an unprecedented stage of belief in moral hackers to raised strengthen safety, transparency, in addition to knowledge privateness and safety. We’re delighted to have the ability to contribute to yet one more profitable collaboration with Lazada,” mentioned Kevin Gallerin, CEO APAC, YesWeHack.
“Securing buyer’s knowledge and defending it from any future incidences is of highest significance at Lazada. Having among the greatest safety researchers on the earth in the identical room as us is an distinctive alternative to be taught and trade—particularly for our crimson workforce, who mount deliberate assaults on our methods each day to determine and repair vulnerabilities,” mentioned Bruno Demarche, who leads the Purple Workforce & Safety Testing Workforce at Lazada Group.
“The stay bug bounty program was a rewarding expertise for Lazada and YesWeHack alike. The groups have been capable of uncover high quality outcomes, which has already given us concepts on how we will enhance our inner testing processes for our utility and providers to in the end higher safeguard Lazada’s prospects and companions,” mentioned Yuezhong Bao, Head of Cybersecurity, Lazada Group.
Lazada’s partnership with YesWeHack started in January 2020 with a profitable 18-month personal bug bounty program. The companions then continued to broaden the scopes of their collaboration, and Lazada opened its program to the general public in 2021, with rewards of as much as US$10,000 per bounty. Since then, the corporate has been working with over 45,000 moral hackers to detect flaws inside their utility and methods to attain most safety and safety over their platforms.
The collaboration with Lazada has additionally allowed YesWeHack to additional advance its neighborhood of cybersecurity specialists and place the corporate because the main participant of bug bounties in Asia Pacific. Since 2019, YesWeHack has served greater than 60 shoppers from its Asia Pacific headquarters in Singapore, together with giant BFSIs, tech unicorns and authorities our bodies. With a rising market demand being seen for the crowdsourced safety mannequin, 40% of YesWeHack’s safety researchers are primarily based out of Asia, with 30% of its clientele coming from Australia, China, Indonesia, Malaysia, and Singapore.
