2017 Bug Bounty Year in Review

7 minute read At Shopify, our bounty program complements our security strategy and allows us to leverage a community of thousands of researchers who help secure our platform and create a better Shopify user experience. We first launched the program in 2013 and moved to the HackerOne platform in 2015 to increase hacker awareness. Since then, we've continued to see increasing value in the reports submitted, and 2017 was no exception.

peter yaworski
6 min readintermediate
--
View Original

Overview

The article reviews the performance and outcomes of Shopify's bug bounty program in 2017, highlighting the collaboration with researchers to enhance platform security. It details significant payouts, participation in the H1-415 event, and improvements in response and triage times.

What You'll Learn

1

How to effectively engage with bug bounty programs to enhance platform security

2

Why quick response times are crucial for maintaining hacker engagement

3

How to structure bug bounty payouts to attract high-quality reports

Key Questions Answered

What was the highest bug bounty payout in 2017?
The highest bug bounty payout in 2017 was $20,000 awarded to uzsunny for a vulnerability that allowed unauthorized collaborator access to stores. This issue was resolved within hours of the report being submitted.
How many bugs were resolved during the H1-415 event?
During the H1-415 event, 15 bugs were resolved by 5 hackers, earning a total of $42,000 with an average payout of $2,800 per bug. This event significantly boosted the visibility of Shopify's bug bounty program.
What changes were made to the bug bounty program in 2017?
In 2017, Shopify made several changes to their bug bounty program, including quicker payments of at least $500 upon triage, clearer program guidelines, and providing hackers access to new features before full release. These changes aimed to enhance hacker engagement and satisfaction.
What was the average bounty payout in 2017?
The average bounty payout in 2017 increased to almost $1,100, up from $659 in 2016. This increase reflects the growing value and quality of reports submitted by hackers.

Key Statistics & Figures

Total amount paid to hackers
$67,550
This amount reflects a $7,000 increase compared to the previous year.
Average bounty payout
$1,100
This is an increase from $659 in 2016.
Initial response time
4 hours
Despite a slight increase, this response time remains competitive.
Triage time
4 days
This is the average time taken to triage reports.
Percentage of resolved reports
10.5%
This represents a 1.5% increase in the number of resolved reports.

Technologies & Tools

Platform
Hackerone
Used for managing the bug bounty program and facilitating hacker engagement.

Key Actionable Insights

1
Implement a structured payout system for bug bounties to attract top talent.
By clearly defining payout tiers and ensuring timely payments, companies can motivate researchers to submit high-quality reports, which ultimately strengthens platform security.
2
Engage with the hacker community through events to enhance program visibility.
Participating in events like H1-415 not only resolves vulnerabilities but also builds relationships with hackers, providing insights into their motivations and testing approaches.
3
Focus on reducing response and triage times to improve hacker satisfaction.
Maintaining quick response times is essential for keeping hackers engaged and motivated to report vulnerabilities, which can lead to a more secure platform.

Common Pitfalls

1
Failing to respond quickly to bug reports can lead to decreased hacker engagement.
When response times are slow, hackers may feel undervalued and less motivated to report vulnerabilities, which can ultimately weaken the security posture of the platform.