SolisImages - stock.adobe.com

Lazada rolls out public bug bounty programme

Regional e-commerce giant Lazada is looking to uncover more vulnerabilities that could compromise data security in a public bug bounty programme that offers up to $10,000 per bounty

Lazada, the Southeast Asian e-commerce juggernaut, abides by a set of processes to detect software vulnerabilities during the software development lifecycle, but the rapid pace of change makes it difficult to test every new application release.

That was why it started a private bug bounty programme 18 months ago to increase its chances of detecting software vulnerabilities and augment the work of its penetration testing teams. Having reduced the number of vulnerabilities since then, it recently extended the initiative to a bigger pool of security researchers through a public bug bounty programme.

Teaming up with YesWeHack, a global bug bounty and vulnerability disclosure platform, Lazada is now offering security researchers up to $10,000 per bounty, with focus on data security. Franck Vervial, head of cyber defence at Lazada, said the eye on data comes amid growing interest in customer data among cyber criminals.

In October 2020, the personal data of Lazada’s RedMart customers hosted on a third-party service provider was reportedly compromised in a data breach. The data was used by a decommissioned RedMart app and website. RedMart, a Singapore online grocer backed by Facebook co-founder Eduardo Saverin, was acquired by Lazada in 2016.

Vervial said the private bug bounty programme was already in place when the data breach occurred and that the public programme was not a response to the incident. “It’s not related but protecting data is not something new and the previous incident shows that customer data is what cyber criminals are looking for,” he added.

That a customer dataset hosted on a third-party service was compromised underscores the challenges that organisations continue to face in mitigating supply chain attacks, which have come under the spotlight in the aftermath of several high-profile incidents.

“You can protect your company, but you don’t have control, or limited control, over your partners – and you need to share data with your partners. This is a challenge for e-commerce companies,” Vervial said, adding that Lazada is looking to involve some partners in its bug bounty programme in future.

Since the launch of its private bug bounty programme, Lazada has worked with more than 100 ethical hackers to surface vulnerabilities, awarding over $150,000 in bounties to security researchers.

The vulnerabilities include zero-day flaws in Lazada’s own applications, as well as two zero-day vulnerabilities in an application built by a third-party software vendor. The findings were disclosed to the supplier which was asked to fix the flaws.

With information on the vulnerabilities on hand, Lazada has started to improve its software development processes.

“If an application is more vulnerable than others, we’ll try to understand why and give feedback to the development team,” Vervial said. “We’ll train them to avoid those kinds of vulnerabilities and over time improve the security of the application.”

For vulnerabilities that are discovered repeatedly, Vervial said Lazada will look at improving its internal tools or including the flaws to be tested in penetration tests.

So far, Lazada’s public bug bounty programme has drawn security researchers not only from the private programme and but also other researchers on the YesWeHack platform, mostly in the Asia-Pacific (APAC) region and Singapore, according to Kevin Gallerin, APAC managing director at YesWeHack.

Gallerin said security researchers on YesWeHack’s platform are subject to background checks and will need to demonstrate their capabilities over a period of time before they are invited to participate in sensitive or private bug bounty programmes such as Lazada’s.

Read more about cyber security in APAC

  • Security experts at Black Hat Asia 2021 discuss the state of ransomware and supply chain attacks, two of the most common attack vectors that offer high returns for threat actors.
  • ViewQwest’s SecureNet service uses Palo Alto Networks’ next-generation firewall with deep packet inspection capabilities to guard against cyber threats.
  • Australia’s Channel Nine was taken off the air by a cyber attack on its IT systems that disrupted live broadcasts out of its Sydney broadcasting facility.
  • Security operations teams in India and Japan see the increased volume of cyber threats as their biggest challenge amid the Covid-19 pandemic.

Next Steps

HackerOne launches AWS certification paths, pen testing service

Read more on Hackers and cybercrime prevention