Bug Bounty Year in Review 2019

We’re reflecting on our Bug Bounty program for 2019 and introducing new program changes for 2020.

peter yaworski
7 min readintermediate
--
View Original

Overview

The article provides a comprehensive review of Shopify's Bug Bounty program in 2019, highlighting key improvements, statistics, and insights gained from peer collaborations. It emphasizes the program's commitment to enhancing security through timely bounty payments, increased maximum bounty amounts, and improved communication with hackers.

What You'll Learn

1

How to implement faster bounty payments in a bug bounty program

2

Why increasing maximum bounty amounts can enhance security engagement

3

How to leverage data analytics to improve bug bounty program effectiveness

Prerequisites & Requirements

  • Understanding of bug bounty programs and security vulnerabilities
  • Familiarity with HackerOne platform(optional)

Key Questions Answered

How quickly does Shopify pay bounties after a report is triaged?
Shopify pays bounties in full within 7 days of a report being triaged. This change has significantly improved the experience for hackers participating in the program.
What is the maximum bounty amount for reports in Shopify's program?
The maximum bounty amount has been increased to $50,000, with specific amounts for different types of vulnerabilities such as $20K–$50K for Arbitrary Code Execution and $10K–$30K for Privilege Escalation.
What improvements were made to response times in 2019?
In 2019, Shopify reduced the average time to first response to 16 hours and the average time to triage to 2 days and 13 hours, showcasing a commitment to faster communication with hackers.
How does Shopify handle duplicate reports in their bug bounty program?
Starting in 2019, anyone who files a duplicate report is added to the original report in HackerOne, which helps maintain trust and transparency within the program.

Key Statistics & Figures

Average time to first response
16 hours
This was an improvement from 1 day and 9 hours in 2018.
Average time to triage
2 days and 13 hours
This was a reduction from 3 days and 6 hours in 2018.
Total amount paid to hackers
$126,100
This was down from $296,400 in 2018, despite a similar number of reports.
Bounties awarded
107
This was a decrease from 182 bounties awarded in 2018.

Technologies & Tools

Platform
Hackerone
Used for managing bug reports and bounty payments.

Key Actionable Insights

1
Implementing a system for faster bounty payments can significantly enhance hacker engagement and trust in your program.
By paying bounties within 7 days of triage, Shopify has improved the overall experience for hackers, encouraging more participation and higher quality reports.
2
Increasing maximum bounty amounts can attract more skilled hackers and improve the security of your applications.
Shopify's decision to raise maximum bounties to $50,000 demonstrates a commitment to security and can incentivize hackers to report more critical vulnerabilities.
3
Utilizing data analytics from platforms like HackerOne can provide valuable insights into program performance and hacker behavior.
Shopify learned from peer programs to better understand their testing funnel, which helped them make informed decisions about program improvements.

Common Pitfalls

1
Failing to communicate effectively with hackers can lead to frustration and decreased participation in the bug bounty program.
Shopify's improvements in response times highlight the importance of timely communication to maintain hacker trust and engagement.

Related Concepts

Bug Bounty Programs
Security Vulnerabilities
Data Analytics In Security