Lazada has been working with ethical hackers for one-and-a-half years to detect security vulnerabilities in its IT environment as part of a private bug bounty program. The e-commerce platform is now opening the program to cybersecurity community with the YesWeHack bug bounty program.
Lazada is offering security researchers up to $10,000 per bounty. The program was established to underscore its commitment to security and transparency for customers and partners.
“Given the importance of data and personal information, Lazada takes great care in protecting our customers and we have worked to patch these vulnerabilities, to ensure a safe shopping platform,” said Alan Chan, chief risk officer of Lazada Group. “With the evolving nature of data security, as well as the aggressive nature of hackers who exploit technology to steal data, we believe in working with the larger cybersecurity community to strengthen our IT ecosystems.”
Lazada launched the private bug bounty program in January 2020 working with over a hundred ethical hackers. So far, the e-commerce platform has awarded over $150,000 in bounties to security researchers. This includes a pre-launch event for the public program conducted that saw hackers from the YesWeHack community identify vulnerabilities in 48 hours.
“Since working with YesWeHack, we have improved our security by enhancing our Secure Software Development Process, to avoid the same type of vulnerability coming up again,” Chan said. “It has been very useful to verify with the wider researchers that our security monitoring can catch exploitation of vulnerabilities.”
According to Lazada, it will soon be transferring the areas previously tested in the private program to a public program which will enable cybersecurity researchers from all over the world to participate in the program and report vulnerabilities to the e-commerce platform.
“This is about protecting our data, protecting our employees, and protecting our customers against vulnerabilities,” says Franck Vervial, head of Cyberdefence at Lazada.
Lazada said that the it will closely monitor vulnerabilities that affect personal data and have severity levels of “high” or “critical.” For submitted reports on critical vulnerabilities, Lazada will pay out up to $10,000 to security researchers.
Founded in 2012 and headquartered in Singapore, Lazada is one of the leading e-commerce platforms in Southeast Asia and was acquired by Alibaba Group in 2016. The company, which has operations in Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam, also offers logistics, retail technology, and payment services solutions, in addition to LazMall, the region’s largest virtual mall with over 18,000 brands.