Since launching their first private bug bounty program in 2020, the initiative has expanded into a two-day live hacking event focused on protecting Lazada’s consumer data
SINGAPORE - Media OutReach - 8 September 2022 - Southeast Asia's leading eCommerce platform Lazada has concluded its latest live bug bounty with YesWeHack, a leading global Bug Bounty and Vulnerability Disclosure Policy (VDP) Platform. The two-day live bug bounty program, which was held at the Hack In The Box Security Conference (HITBSecCONF 2022), resulted in 115 vulnerability reports being submitted by the several dozen researchers present at the event, including some of the best security researchers in the world.After running a successful two-year Bug Bounty program with YesWeHack, Lazada scaled the program to the next level this year during the HITBSecCONF 2022. The event allowed Lazada to test their applications over the given period of time, while being able to meet with researchers to exchange on the discoveries—thus giving Lazada deep and exclusive insights to the vulnerabilities found.
Lazada wanted to use this live event as an opportunity to achieve in-depth security. To enable this, the company voluntarily disabled a number of security mechanisms for participating researchers and only for the period of the event, allowing them to extensively test the systems and applications. For instance, researchers were able to bypass Web Application Firewalls (WAF) throughout the length of the event—allowing them to hack into the eCommerce platform's sites and services directly. Lazada had chosen to disable WAFs for the hunters, due to the fact that while they are able to block most of the attack, they are not infallible. In addition to WAFs, Lazada also disabled other security solutions that are typically used as a first line of defense, so as to offer hackers the chance to test their application in greater depth.
"Accomplishing a live program on this scale demonstrates Lazada's commitment to security and progressive stance towards bug bounties. By engaging with the broader community, the eCommerce giant is placing an unprecedented level of trust in ethical hackers to better strengthen their security, transparency, as well as data privacy and protection. We are delighted to be able to contribute to yet another successful collaboration with Lazada," said Kevin Gallerin, CEO APAC, YesWeHack.
"Securing customer's data and protecting it from any future incidences is of highest importance at Lazada. Having some of the best security researchers in the world in the same room as us is an exceptional opportunity to learn and exchange—especially for our red team, who mounts deliberate attacks on our systems daily to identify and fix vulnerabilities," said Bruno Demarche, who leads the Red Team & Security Testing Team at Lazada Group.
"The live bug bounty program was a rewarding experience for Lazada and YesWeHack alike. The teams have been able to uncover quality results, which has already given us ideas on how we can improve our internal testing processes for our application and services to ultimately better safeguard Lazada's customers and partners," said Yuezhong Bao, Head of Cybersecurity, Lazada Group.
Lazada's partnership with YesWeHack began in January 2020 with a successful 18-month private bug bounty program. The partners then continued to expand the scopes of their collaboration, and Lazada opened its program to the public in 2021, with rewards of up to US$10,000 per bounty. Since then, the company has been working with over 45,000 ethical hackers to detect flaws within their application and systems to achieve maximum security and protection over their platforms.
The collaboration with Lazada has also allowed YesWeHack to further advance its community of cybersecurity experts and position the company as the leading player of bug bounties in Asia Pacific. Since 2019, YesWeHack has served more than 60 clients from its Asia Pacific headquarters in Singapore, including large BFSIs, tech unicorns and government bodies. With a growing market demand being seen for the crowdsourced security model, 40 percent of YesWeHack's security researchers are based out of Asia, with 30 percent of its clientele coming from Australia, China, Indonesia, Malaysia, and Singapore.
Hashtag: #YesWeHack
About Lazada
Lazada Group is Southeast Asia's pioneer eCommerce platform. For the last 10 years, Lazada has been accelerating progress in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam through commerce and technology. Today, a thriving local ecosystem links about 160 million active users to more than one million actively-selling sellers every month, who are transacting safely and securely via trusted payments channels and Lazada Wallet, receiving parcels through a homegrown logistics network that has become the largest in the region.
With a vision to achieve USD100 billion annual GMV, Lazada aims to serve 300 million shoppers by 2030, and be the best at enabling brands and sellers in digitalizing their businesses.
In 2022, the Lazada Foundation was set up to empower youths and women for the digital future, close the gender digital divide and uplifting communities by creating positive impact. More information can be found here
About YesWeHack
Founded in 2015, YesWeHack is a global Bug Bounty and VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 40,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.