Companies news

Lazada’s live bug bounty uncovers 115 vulnerabilities

By  | 12 September, 2022

Bug bounty programs have been somewhat of a game changer for organizations when it comes to cybersecurity. While most businesses have invested heavily in proactive cybersecurity solutions, the reality is, that many are still concerned about the state of their cybersecurity, especially with threat actors still managing to break through the protection in place.

Hence, a majority of businesses have now opt for bug bounty programs to help them deal with their cybersecurity problems. In fact, the reward payments for bug bounty have also significantly in recent times with some organizations offering up to a million for vulnerabilities discovered.

So what exactly is a bug bounty program?

Bug bounty refers to a reward that is paid to individuals, which are normally white hat hackers or ethical hackers. These hackers or even researchers hunt for vulnerabilities and weaknesses in a company’s system. Should they discover any bugs and vulnerabilities and report them to the organization, they will be paid a reward for it.

The reward for bug bounty programs continues to increase yearly as organizations are hoping more vulnerabilities and bugs can be discovered in their systems. One of the largest ever bug bounty payment made was by Coinbase. Coinbase paid US$250,000 to a researcher for discovering a trading interface flaw.

Meanwhile, MakerDAO announced a maximum of $10 million bounty to white hat hackers and cybersecurity specialists who point out legitimate security threats in its smart contracts, which is one of the highest amounts ever.

Larger tech companies like Microsoft awarded US$13.7M in bug bounties to more than 330 security researchers across 46 countries over the past 12 months. The largest award was $200,000 under the Hyper-V Bounty Program, and the average award was more than $12,000 across all its programs.

Bug bounty programs in Southeast Asia

In Southeast Asia, countries like Singapore are also offering bug bounty programs through government agencies. For example, the Government Technology Agency of Singapore (GovTech) is offering up to SG$150,000 for exceptional reports that could cause an exceptional impact on selected systems and data”.

E-commerce provider Lazada has also been running a successful two-year Bug Bounty program with YesWeHack. Lazada has now scaled the program to the next level this year during the Hack In The Box Security Conference (HITBSecCONF 2022).

The two-day live bug bounty program resulted in 115 vulnerability reports being submitted by the several dozen researchers present at the event, including some of the best security researchers in the world. The event also allowed Lazada to test their applications over the given period of time, while being able to meet with researchers to exchange on the discoveries—thus giving Lazada deep and exclusive insights to the vulnerabilities found.

Lazada wanted to use this live event as an opportunity to achieve in-depth security. To enable this, the company voluntarily disabled a number of security mechanisms for participating researchers and only for the period of the event, allowing them to extensively test the systems and applications.

“Accomplishing a live program on this scale demonstrates Lazada’s commitment to security and progressive stance towards bug bounties. By engaging with the broader community, the eCommerce giant is placing an unprecedented level of trust in ethical hackers to better strengthen their security, and transparency, as well as data privacy and protection. We are delighted to be able to contribute to yet another successful collaboration with Lazada,” said Kevin Gallerin, CEO of APAC, YesWeHack.

“Securing customer’s data and protecting it from any future incidences is of highest importance at Lazada. Having some of the best security researchers in the world in the same room as us is an exceptional opportunity to learn and exchange—especially for our red team, who mounts deliberate attacks on our systems daily to identify and fix vulnerabilities,” added Bruno Demarche, who leads the Red Team & Security Testing Team at Lazada Group.

Lazada’s partnership with YesWeHack began in January 2020 with a successful 18-month private bug bounty program. The partners then continued to expand the scope of their collaboration, and Lazada opened its program to the public in 2021, with rewards of up to US$10,000 per bounty. Since then, the company has been working with over 45,000 ethical hackers to detect flaws within their application and systems to achieve maximum security and protection over their platforms.

The collaboration with Lazada has also allowed YesWeHack to further advance its community of cybersecurity experts and position the company as the leading player in bug bounties in the Asia Pacific.

Since 2019, YesWeHack has served more than 60 clients from its Asia Pacific headquarters in Singapore, including large BFSIs, tech unicorns and government bodies.



Get your copy of FOCUS Magazine Issue 80: Designing a Circular Economy World