YesWeHack, the global Bug Bounty & VDP platform, held its first Singapore Live Bug Bounty event on 25-26 August 2022. We partnered with Lazada Group, Southeast Asia’s leading eCommerce platform, to host these two days of concentrated hacking at HITBSecConf 2022 – Singapore.
Lazada’s partnership with YesWeHack
🙌 The story of how it all began:
Founded in 2012, Lazada Group is Southeast Asia’s leading eCommerce platform and the regional flagship of Alibaba Group. With a presence in six countries – Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam – it connects this vast and diverse region through its technology, logistics and payments capabilities. Today, it has the largest selection of brands and sellers, and by 2030, it aims to serve 300 million customers.
Being in the fast-paced eCommerce industry, Lazada must always be ready to evolve its security environment to prevent cyber-attacks. For this very reason, and with its commitment to building a safe and trusted platform for its customers and brand partners, Lazada has chosen to launch a Bug Bounty program with YesWeHack.
“Our work environment is very fast-paced. We launched our Bug Bounty program two years ago to prevent problems from being introduced to our secure environment. We actively work with the security researchers community to ensure that we can use the feedback and findings that we receive from them to continuously improve our internal process.” explains Yuezhong Bao, Head of Cybersecurity, Lazada Group
The journey to better cybersecurity
👣 Lazada’s journey with Bug Bounty throughout the years
Lazada first embarked on its Bug Bounty journey with us in January 2020. From there, it launched a private Bug Bounty program and engaged a selected pool of 20 security researchers at launch, which grew to 100+, to discover security vulnerabilities in its IT environment.
In June 2021, Lazada launched a full-on public Bug Bounty program that invited over 40,000 researchers to hack into its systems under specific scopes and rules, with attractive bounties up to US$10,000! An exclusive, remote, invite-only Live Bug Bounty event with 40 handpicked researchers was also held just before the public program’s launch.
What prompted the Live Bug Bounty event?
The Lazada security team had received many insightful vulnerability reports over the years, allowing them to continuously improve the security posture of Lazada. Researchers’ findings had also helped Lazada’s security team members grew in their own skill sets. Lazada, however, wished to reach even greater levels of security and meet face-to-face with the researchers they had been communicating with remotely for years. As a result, in August 2022, they organised Open My Heart, an in-person 30-hour Live Bug Bounty event, inviting researchers from Europe, APAC, and all over the world to visit Singapore to participate.
Rather than communicating remotely, researchers could ask questions directly to the Lazada and YesWeHack teams on-site. The researchers also met with one another and discovered new vulnerabilities and exploitations faster by combining their knowledge and skills.
“You could speak with the Lazada team every time, at the venue. Every question you had, everything you needed to know, they would help you right away.” said NAGLI aka Gal Nagli
“Having some of the best security researchers in the world in the same room as us was an exceptional opportunity to learn and exchange.” said Bruno Demarche, who leads the Red Team & Security Testing Team at Lazada Group
❤️ Lazada really opened its heart to the researchers
The Lazada team went all out for the event! To allow the participating researchers of the Live Bug Bounty to fully enter their systems and extensively test their applications, they voluntarily disabled a number of essential security mechanisms for them during a specified period during the event. Researchers were also given access to bypass Web Application Firewalls (WAF), allowing them to hack into Lazada’s sites and services.
“Lazada’s scope was a huge playground. Besides the fact that I enjoy hacking on a complete eCommerce ecosystem, from buyer to seller with all of the little apps surrounding it, having the freedom to choose your target in such a huge scope is really great.” said Doomer aka Victor Louis Poucheret
“Accomplishing a live program on this scale demonstrates Lazada’s commitment to security and progressive stance towards bug bounties. By engaging with the broader community, the eCommerce giant is placing an unprecedented level of trust in ethical hackers to better strengthen their security, transparency, as well as data privacy and protection. We are delighted to be able to contribute to yet another successful collaboration with Lazada.” said Kevin Gallerin, CEO, APAC, YesWeHack
A healthy (and fierce!) competition among researchers
🏆 A fierce battle towards the very last minute
A few researchers had already gathered on the event site to get ready for the Live Bug Bounty’s launch on Thursday, 25 August, at 10:00am SGT.
A fierce competitive start was made by Michael Gianarakis &Shubham Shah from Assetnote, with fifteen submissions within an hour! Doomer and Naash followed closely behind throughout the event, and it was a fierce battle between the three players. As the event drew to a close on 26 August, Friday, 4:00pm SGT, Doomer’s late but exponential ascent with several bugs chains, earned him the top title!
“I already had the chance to participate in a previous private event with Lazada and kept an awesome memory of it. I just LOVE how YesWeHack always manages to organise top-tier events, but most importantly, gets the right clients in a well-managed live hacking. There were quite some known hackers at the event and it’s always fun to meet and challenge each other and share knowledge and awesome techniques! To be honest, I was scared when I saw the huge early rush of Assetnote! But I stuck to the magic solution: Enjoy the moment 🙂 There are always a lot of bugs to be found, even on public, hardened scopes and it’s cool to see others making it to the top. So basically, forget everything and just hack with a positive mindset! These 30 hours were really fun. You know, at BZHunt, we always wanted to keep Bug Bounty and live events as a part of our daily activities. It is quite a unique feeling to be able to “forget everything” and just enjoy the pure pleasure of hacking, the adrenaline of the event and the pleasure to share this moment with others. It was also quite cool to see some new names participating in the event. Glad to see newcomers participating and finding bugs, and happy to see how YesWeHack expands and popularises ethical hacking in SEA.” said Doomer aka Victor Louis Poucheret
“It was a lot of fun, and I enjoyed working with Lazada. They were excellent to work with and had been very responsive to our feedback. It was great hanging out with all the people from YesWeHack and all the Bug Bounty hunters.” said Shubham Shah from Assetnote
“This was my first ever Live Bug Bounty with YesWeHack (unfortunately virtual) and I was lowkey nervous about it because I did see a few big names from the community whom I regularly follow and look up to. The bunch of test accounts that were provided to us were pretty much a good scope for me to toy around with little to no sleep. Yes, I absolutely had fun. 😄” said Naaash aka Avinash Sudheer
It’s a wrap!
👍 Lazada had a wonderful experience
“It was interesting to meet the hunters in person for the first time at the Live Bug Bounty event. In addition to seeing our friends from the researchers’ community, we also met a lot of new talents. The researchers had provided us with a lot of interesting and unexpected feedback and findings after this event. Fresh ideas are always welcome. I personally learned a lot from the Live Bug Bounty. It broadens our perspective to meet so many smart hunters. To evolve Lazada’s security posture, we can once again count on the researchers for new feedback.” said Audi Sugianto, Senior Associate, Application Security and Security Testing, Lazada Group
✅ In total, 115 vulnerabilities reports were submitted.
📹 Would you like to learn more about Open My Heart – Live Bug Bounty event? We captured all highlights and moments in an exciting video. Watch it now!
Founded in 2015, YesWeHack is a global Bug Bounty and VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 40,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.
Media Contact: firstname.lastname@example.org
About Lazada Group
Lazada Group is Southeast Asia’s pioneer eCommerce platform. For the last 10 years, Lazada has been accelerating progress in Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam through commerce and technology. Today, a thriving local ecosystem links about 160 million active users to more than one million actively-selling sellers every month, who are transacting safely and securely via trusted payments channels and Lazada Wallet, receiving parcels through a homegrown logistics network that has become the largest in the region.
With a vision to achieve USD100 billion annual GMV, Lazada aims to serve 300 million shoppers by 2030, and be the best at enabling brands and sellers in digitalizing their businesses.
In 2022, the Lazada Foundation was set up to empower youths and women for the digital future, close the gender digital divide and uplifting communities by creating positive impact. More information can be found here https://group.lazada.com/en/foundation/.
Want to discuss crowdsourced security with our experts?