Why Some Retailers Are Paying Hackers for Security Help
Getting hacked isn’t just a concern for tech companies anymore. Businesses of all shapes and sizes have digital, forward-facing assets. Retailers, in particular, possess a large amount of consumer data — from purchasing habits to personally identifiable information like names, addresses and credit card numbers — making them attractive targets for criminals. A breach of this information can have devastating consequences.
Take two of the most widely known breaches in history: Target and Home Depot. In 2013, intruders were able to steal the data of more than 40 million Target customers, which ultimately cost the company $18.5 million to settle the multistate lawsuit and investigation. And just a year later, criminals were able to breach Home Depot’s self-checkout terminals and steal the email or credit card information of 50 million customers, forcing Home Depot to pay $25 million in damages to banks. These figures don’t include legal fees, the cost of repairs and third-party assistance, and, of course, reputation damage.
How do retailers make sure they don’t fall victim to a data breach? Keeping up with the evolving threat landscape is no easy task. Fixing vulnerabilities is time consuming, and with most security teams lacking headcount and resources, taking the time to hunt for new vulnerabilities falls lower on the priority list. Right or wrong, that’s the reality. Some organizations like Starbucks, Instacart, Lyst, and Canadian e-commerce platform Shopify are allowing the broader ethical hacking community to do some of that bug hunting for them, allowing internal teams to spend time fixing bugs and mitigating risk faster than ever before.
Shopify has resolved over 500 vulnerabilities, thanks to more than 300 white hat hackers who have reported vulnerabilities as part of its bug bounty program. The program rewards hackers monetarily for finding and reporting security vulnerabilities. In just over three years, Shopify has paid the white hat hackers more than $850,000. Shopify’s average response time to inbound reports is just three hours, with an average resolution time of just 25 days. This places Shopify among the most responsive programs on HackerOne’s platform. Hackers have become an essential component of Shopify’s overall security strategy, so much so that the e-commerce platform provider hired one of HackerOne’s top 100 hackers, Pete Yaworski, for a full-time role on its security team in 2017.
Other retailers can similarly benefit by implementing their own bug bounty programs, which are gaining popularity in the industry. Retail is the third fastest-growing industry when it comes to bug bounty program adoption — and I expect this number to keep growing in the years to come. Hackers can benefit, too. Retail bug bounty programs can be quite lucrative, with an average bounty payment of $1,720 per critical vulnerability discovered.
A bug bounty program is just one of several subsets of a robust cybersecurity program, which includes encryption, endpoint security, and more. There's so much sensitive information exchanged in retail transactions, and retailers need to prioritize security and tap the hacker community for help. By leveraging the knowledge of the hacker community, they’ll create a safer shopping experience.
Michiel Prins co-founded HackerOne, a bug bounty and vulnerability disclosure platform, connecting organizations with the world’s largest community of trusted hackers. He's an information security expert, hacker and developer. Michiel has been finding critical software vulnerabilities in technology for over 10 years.
Related story: Why Cybersecurity is a Retail Issue That Starts at the Top