Reducing risk is fundamental to Wix’s approach to cybersecurity, and as the threat landscape evolves, they turn to HackerOne Bounty to protect their security posture. Since 2018, Wix has invited tens of thousands of ethical hackers worldwide to ensure new and existing features are secure. We recently met with two Wix security team members to learn how they leverage ethical hackers to detect risks before they become threats and how vulnerability insights help strengthen their security posture.
Tell us who you are.
Ifat: I’m Ifat Kooperli, and I lead the Vulnerability Management domain in the Wix Application Security team. My responsibilities include the Wix Bug Bounty Program, penetration tests, and using other tools to measure our security posture for applications developed in-house.
Amit: I’m Amit De-Paz, and I lead the Wix Bug Bounty Program decision-making and internal investigations of submitted reports from our external researchers. My day-to-day includes reviewing those reports, doing penetration testing, advising our developers on how to address application vulnerabilities, and providing a constant measuring of our security posture.
Ifat and I are part of a larger dedicated security team at Wix. Every Wix site has built-in enterprise-grade protection and 24/7 security monitoring, so users can stay focused on growing their online presence.
Why is cybersecurity so crucial to Wix?
Ifat: As a website creation platform, Wix allows anyone—whether they have no technical experience or they’re longtime experts—to create a professional website that will meet their needs. Our templates, features, and designs cater to various users, including bloggers, photographers, shop owners, and much more. Cybersecurity is a top priority for us because we want all Wix users to feel confident that their website is protected without any additional effort on their part.
Internally, Wix is divided into companies, which enables us to develop and deliver new functionalities and applications that suit our clients’ unique needs. Each company takes care of their own application and desired functionalities. Due to this diversity and scale, the security posture can be very complex. We rise to the challenge because we want everyone to be able to bring their idea online and benefit from the same rigorous security measures across our entire platform.
How do hackers help you reduce business risk?
Ifat: Wix has over a thousand developers, and changes to the code and new features are deployed almost every minute. We invest significant effort and resources into ensuring secure coding and aligning with industry best practices.
With our bug bounty program, which includes tens of researchers who are constantly looking for ways to hack our environment, every new and existing feature is being given the necessary attention to ensure it’s secure. By examining our researchers’ findings, we learn about our weak spots—both in specific features and laterally—when we see the same issue repeatedly across the platform. And when we see the same vulnerability repeatedly, we examine the root cause and find out how it can be mitigated across the platform. We do this by developing internal security libraries, addressing the vulnerability in threat modeling sessions, or conducting secure development training for new developers.
How do hackers help you identify gaps in processes?
Amit: The scope we provide our researchers allows them to focus on the most critical aspects of security on our platform. Any report that gives us insights into exploiting issues or bypassing current implementations will help us align to industry best practices.
How do hackers help with application security?
Ifat: Our bug bounty program has been running for over four years, and some researchers have been working with it since its earliest days. Researchers are integral to our application security because they have a deep understanding of our platform. The findings they submit are incredibly valuable to us because they can identify exactly what causes a problem, and our team can then focus on how it should be solved.
How do you recommend working with hackers?
Amit: It’s important to communicate regularly with your researchers. For example, we built a Slack channel for our top bug hunters, which allows us to focus this group of experienced researchers on the most valuable aspects of our platform.
We also recommend varying the scope of research to fall somewhere between being too general or too specific. This allows our researchers to find public vulnerabilities that they couldn’t see if our scope was too narrow.
You can also create ‘Bonus Events’ to focus your researchers on specific applications—and, of course, giving them a bonus bounty will make them even more motivated to find your application’s most significant vulnerabilities.
How do you quantify working with hackers?
Amit: Every vulnerability found in our bug bounty program is documented in our internal systems. The issues are analyzed according to their severity, vulnerability type, and the bounty amount. With all this information gathered, we can make data-based decisions to improve our security posture. Each vulnerability that we identify and address is invaluable for our business and users.
What advice would you give other organizations?
Ifat: We strongly recommend having a bug bounty program. With an unlimited number of researchers looking for vulnerabilities in our platform at all times, we can offer a secure platform to our users.
Support from a triage team is one of the many advantages of having a bug bounty program in HackerOne. The triage team comprises experienced cybersecurity specialists who handle the incoming reports. Knowing our platform, technologies, various user types, and use cases, they can determine whether an issue poses a security risk or not. If a report is unclear, they ask the researcher to provide all the relevant information.
By the end of the process, they provide us with a complete summary of the issue and step-by-step instructions for reproducing it. It saves us a lot of time, and we can devote our attention to solving the issue.
It’s also important to keep researchers engaged and aware that you value their work. Open communication on the HackerOne platform and other channels, sending branded swag, and other gestures can help your company build a relationship with your researchers.
Is there anything that sets apart your bug bounty experience with HackerOne, or why did you ultimately choose to partner with HackerOne?
Amit: HackerOne is one of the most popular platforms for bug bounty programs. It consists of a wide community of security researchers, including some of the most well-known names in the industry. By having a large number of eyes on our product, we are confident that if there is a flaw in it, it will be discovered in no time.
Moreover, the entire HackerOne team, from the triage team to the program managers, is highly experienced. It helps us to set and achieve our goals every year, address issues quickly and efficiently, and assists whenever a problem arises.
What will long-term success look like for you?
Amit: This year, we’re focused on increasing the number of core researchers in our bug bounty program—the ones who know our platform from top to bottom and find high-severity issues.
We’re also considering becoming a public program in the future, which would grow our pool of researchers and allow us to cover a bigger surface area than in a private program. Ultimately, the more skilled researchers who are able to test our products, the better our platform’s security posture will be. With a public program, we’d also be able to release reports and share more information about our constant efforts around platform security.
Anything else you’d like to share?
Ifat: At Wix, we take a proactive approach to platform security because protecting our users is critical. We’re grateful to work with HackerOne’s expert community of researchers, who help us give our users peace of mind, and the freedom to stay focused on growing their online presence. We want to thank our bug bounty researchers—we deeply appreciate your work and efforts.