Southeast Asia eCommerce platform Lazada launches public bug bounty program with YesWeHack
Southeast Asia's leading eCommerce platform Lazada announces the launch of a public bug bounty program with YesWeHack to identify vulnerabilities, after running a successful 18 month-long private program. Since January 2020, Lazada has been working with ethical hackers to detect security vulnerabilities in its IT environment as part of a private bug bounty program, and is now opening the program to the entire cybersecurity community.
With the launch of this public Bug Bounty program, Lazada is making a statement to the eCommerce industry, and highlighting the priority it places on security and transparency for its customers and partners, by offering security researchers up to US$10,000 per bounty.
Protecting customer data is a top priority
Founded in 2012 and headquartered in Singapore, Lazada is one of the leading e-commerce platforms in Southeast Asia and was acquired by Alibaba Group in 2016. The company, which has operations in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam, also offers logistics, retail technology and payment services solutions, in addition to LazMall, the region’s largest virtual mall with over 18,000 brands.
Since the launch of its private bug bounty program, Lazada has worked with over one hundred ethical hackers to surface vulnerabilities, and has awarded over US$150,000 in bounties to security researchers. This includes a pre-launch event for the public program conducted that saw hackers from the YesWeHack community identify vulnerabilities in 48 hours.
“Given the importance of data and personal information, Lazada takes great care in protecting our customers and we have worked to patch these vulnerabilities, to ensure a safe shopping platform. With the evolving nature of data security, as well as the aggressive nature of hackers who exploit technology to steal data, we believe in working with the larger cybersecurity community to strengthen our IT ecosystems,” says Alan Chan, Chief Risk Officer of Lazada Group.
“Since working with YesWeHack, we have improved our security by enhancing our Secure Software Development Process, to avoid the same type of vulnerability coming up again. It has been very useful to verify with the wider researchers that our security monitoring can catch exploitation of vulnerabilities.
Up to US$10,000 reward for reports on critical vulnerabilities
Lazada is now taking additional steps in providing transparency and security to its customers, by transferring the areas previously tested in the private program to a public program. This allows cybersecurity researchers from all over the world to participate in the program and report vulnerabilities to the eCommerce platform.
Furthermore, special attention will be paid to vulnerabilities that affect personal data and have severity levels of "high" or "critical." For submitted reports on critical vulnerabilities, Lazada will pay out up to US$10,000 to security researchers. More information of the public bounty program can be found here.
"By launching this latest public bug bounty program, we are sending a clear message to everyone, that we value the importance of data in our possession. We believe in the expertise of the YesWeHack community and are excited to continue to work with ethical hackers in identifying new attack methods and countering them. This is about protecting our data, protecting our employees and protecting our customers against vulnerabilities,” says Franck Vervial, Head of Cyberdefence at Lazada.
“YesWeHack is delighted to partner with Lazada and expand our market in Asia, ensure their e-commerce platform and its customers are protected against increasingly sophisticated cyber threats,” says Kevin Gallerin, Managing Director, APAC at YesWeHack. "The switch to a public program follows over 18 months of collaboration, during which our global community of researchers has demonstrated its effectiveness and broad spectrum of skills. By reaching out to a broader community, Lazada strengthens its security, champions transparency and data privacy and protection. Ultimately, building and maintaining the trust and experience of the several million users across APAC.”