14 June 2021 at 13:45 UTC
Updated: 15 June 2021 at 07:32 UTC
Popular online shopping platform is offering up to $10k for â€کmax criticalâ€™ vulnerabilities
E-commerce platform Lazada has launched its first public bug bounty program with YesWeHack.
The website, which was founded in Singapore but serves countries across Southeast Asia, is offering up to $10,000 for successful vulnerability reports.
It comes after a previously private program, launched in January 2020, that has already paid out around $150,000 in rewards.
In a statement, Lazada said it hopes that the program will make a statement to the e-commerce industry, â€œhighlighting the priority it places on security and transparency for its customers and partnersâ€.
A detailed list of the vulnerabilities and applications that are in scope can be found on YesWeHackâ€™s website.
A spokesperson from YesWeHack told The Daily Swig that while there has been a recent uptake in bug bounty programs across Southeast Asia, they have mainly been available on an invite-only basis.
The spokesperson explained: â€œThey are less willing to initiate public programs as it is not as common as in Europe and the United States.â€
YOU MIGHT LIKE CVE board slams Distributed Weakness Filing project for publishing â€کunauthorizedâ€™ CVE records
High-impact vulnerabilities such as remote code execution or any bug that can lead to financial losses for Lazada, its sellers, and customers are due a payout of $3,000, while â€کmax criticalâ€™ bugs that could lead to a large-scale data leak are eligible for the maximum reward of $10,000.
â€œLazada is, first and foremost, looking for vulnerabilities that could affect their customersâ€™ privacy,â€ said YesWeHack.
Lazada is also looking for bugs that affect its business integrity or continuity, â€œalthough, any flaw that could demonstrate a direct impact on their security and their users would be handled with due considerationâ€.
Read more of the latest bug bounty news
Franck Vervial, head of cyber defense at Lazada, said: â€œBy launching this latest public bug bounty program, we are sending a clear message to everyone, that we value the importance of data in our possession.
â€œWe believe in the expertise of the YesWeHack community and are excited to continue to work with ethical hackers in identifying new attack methods and countering them.
â€œThis is about protecting our data, protecting our employees, and protecting our customers against vulnerabilities.â€
YOU MAY ALSO LIKE US government launches first VDP for federal civilian agencies