Overview
The article reviews Shopify's Bug Bounty program for 2018, highlighting its achievements, including a significant reduction in triage time and increased payouts to hackers. It details the triage process, a live hacking event, and key statistics that underscore the program's success.
What You'll Learn
1
How to effectively reduce triage time for bug reports
2
Why engaging with the hacker community enhances security
3
When to implement innovative strategies in live hacking events
Key Questions Answered
How did Shopify improve its bug triage process in 2018?
In 2018, Shopify reduced its average time to triage bug reports from four days to just 10 hours. This improvement was achieved by dedicating one team member weekly to focus solely on triaging reports, allowing for quicker validation and response times.
What were the key statistics from Shopify's Bug Bounty program in 2018?
In 2018, Shopify's Bug Bounty program paid out a total of $155,750, with an average bounty of $1,790. The program received 1,010 reports, of which 58.7% were closed as not applicable, and 60% of resolved reports received a bounty.
What innovative strategies were used during the H1-514 live hacking event?
During the H1-514 event, Shopify opened submissions early, disclosed resolved reports during the event, and offered unique bonuses for creative testing. These strategies aimed to enhance engagement and incentivize hackers to explore complex areas.
Key Statistics & Figures
Total amount paid to hackers
$155,750
This amount reflects the total payouts made during the year, indicating the program's success.
Average bounty
$1,790
The average bounty increased from $1,100 in 2017 to $1,790 in 2018.
Number of reports received
1,010
This was the total number of reports submitted to the program in 2018.
Percentage of resolved reports receiving a bounty
60%
This percentage highlights the effectiveness of the program in rewarding valid reports.
Technologies & Tools
Platform
Hackerone
Used for managing the bug bounty program and triaging reports.
Key Actionable Insights
1Implement a dedicated triager for bug reports to enhance response times.By assigning a team member to focus solely on triaging, Shopify significantly reduced its triage time, which can be a best practice for other organizations looking to improve their bug bounty programs.
2Engage with the hacker community through live events to foster collaboration.Shopify's H1-514 event demonstrated that inviting hackers to test systems can yield valuable insights and vulnerabilities, which can enhance overall security.
3Utilize innovative incentives to motivate hackers during bounty programs.By offering bonuses for specific types of vulnerabilities, Shopify encouraged hackers to focus on more complex issues, which can lead to better security outcomes.
Common Pitfalls
1
Failing to effectively manage low-severity reports can lead to delays in resolution.
Shopify noted that some low-severity reports remained in a triaged state beyond the target resolution time. To avoid this, organizations should prioritize these reports and ensure timely follow-ups.