Lazada to reward ethical hackers up to US$10k in new public bounty initiative

Lazada has launched a public bug bounty programme in collaboration with YesWeHack, a global bug bounty and vulnerability disclosure policy platform, to identify vulnerabilities. Under this programme, the eCommerce firm is offering security research up to US$10,000 per bounty in a bid to highlight the priority it places on security and transparency. 

According to Lazada it has worked with over 100 ethical hackers to surface vulnerabilities and has awarded over US$150,000 in bounties to security researchers since the launch of its private bug bounty programme last January. This included a pre-launch event for the public programme conducted that saw hackers from the YesWeHack community identify vulnerabilities in 48 hours. It is now opening the programme to the entire cybersecurity community.

It is also currently taking additional steps in providing transparency and security to its customers, by transferring the areas previously tested in the private programme to a public programme. This seeks to allow cybersecurity researchers worldwide to participate in the programme and report vulnerabilities to the eCommerce platform. Special attention will be paid to vulnerabilities that affect personal data and have severity levels of "high" or "critical". MARKETING-INTERACTIVE has reached out to Lazada for more information.           

Alan Chan, chief risk officer of Lazada Group, said that it believed in working with the larger cybersecurity community to strengthen its IT ecosystems, due to the evolving nature of data security and the aggressive nature of hackers who exploit technology to steal data. “We have improved our security by enhancing our secure software development process to avoid the same type of vulnerability coming up again. It has been very useful to verify with the wider researchers that our security monitoring can catch exploitation of vulnerabilities,” Chan added.             

Kevin Gallerin, MD of APAC at YesWeHack, said that the partnership with Lazada also expands its market into Asia. He added: "By reaching out to a broader community, Lazada strengthens its security, champions transparency and data privacy and protection. Ultimately, building and maintaining the trust and experience of the several million users across APAC.”

Lazada encountered a data breach in Singapore last October involving a RedMart-only database hosted on a third-party service provider. According to the brand, the information that was illegally accessed included the names, phone numbers, emails, addresses, encrypted passwords and partial credit card numbers of RedMart customers. However, the eCommerce firm previously said that the data hosted is more than 18 months out of date, as it was last updated in March 2019. The data was also said to be used on the previous RedMart app and website, which are no longer in use. It also stressed that its customer data in Southeast Asia was not impacted by the incident.

Separately, Lazada is currently promoting the Great Singapore Sale as the eCommerce partner of the Singapore Retailers Association (SRA). According to SRA, his is the first time in the 27-year history of the GSS that it has an eCommerce partner, and more than 1,000 of its members will be participating. 

Related articles:
Clubhouse falls prey to security breach amidst review of data protection practices
Great Singapore Sale looks to cash in on omnichannel experience via Lazada tie-up
Lazada’s ‘new retail’ showcase recognised for bridging offline-online gap to deliver innovative experiences for its shoppers
Analysis: Does Lazada's integration of ComfortDelGro taxi rides signal super app ambitions?