When Andrew Dunbar started at Shopify in 2012, he was the only security team member.
Now, in his role as Director of Risk & Compliance, he oversees a team of people, all focused on protecting the 500,000+ Shopify merchants who have done over $40B in sales to date.
Dark Reading’s Kelly Sheridan recently sat down with Andrew for a Q&A talking about Ecommerce security and their bug bounty program hosted on HackerOne.
We’ve pulled some of our favorite quotes that Andrew provided on running a successful bug bounty program.
“Shopify already has a developer community where people can create and test online stores. It [Shopify] expanded this program to add a new type of “white hat” partner, who could create stores with the same infrastructure as merchants. This provided a means for bug hunters to test vulnerabilities without affecting any of Shopify’s users.”
“Start with a private program and fewer researchers so you get a sense of the types of reports you’ll receive. We ran our program for about a year so we knew which reports were valid. If you go public, be ready to handle a massive surge in reports.”
“Scope is incredibly important. Make sure you know what properties are going to be in scope; which vulnerabilities you’ll accept.”
Read the full article: Shopify Risk Director Talks Ecommerce, Bug Bounty Program on, DarkReading.com.
Shopify also participated in our h1-415 live-hacking event. Watch Andrew talk to us about their experience at the event held at our San Francisco headquarters
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.