Popular online shopping platform is offering up to $10k for ‘max critical’ vulnerabilities

E-commerce platform Lazada has launched its first public bug bounty program with YesWeHack

E-commerce platform Lazada has launched its first public bug bounty program with YesWeHack.

The website, which was founded in Singapore but serves countries across Southeast Asia, is offering up to $10,000 for successful vulnerability reports.

It comes after a previously private program, launched in January 2020, that has already paid out around $150,000 in rewards.

In a statement, Lazada said it hopes that the program will make a statement to the e-commerce industry, “highlighting the priority it places on security and transparency for its customers and partners”.

A detailed list of the vulnerabilities and applications that are in scope can be found on YesWeHack’s website.

Public offering

A spokesperson from YesWeHack told The Daily Swig that while there has been a recent uptake in bug bounty programs across Southeast Asia, they have mainly been available on an invite-only basis.

The spokesperson explained: “They are less willing to initiate public programs as it is not as common as in Europe and the United States.”


YOU MIGHT LIKE CVE board slams Distributed Weakness Filing project for publishing ‘unauthorized’ CVE records


High-impact vulnerabilities such as remote code execution or any bug that can lead to financial losses for Lazada, its sellers, and customers are due a payout of $3,000, while ‘max critical’ bugs that could lead to a large-scale data leak are eligible for the maximum reward of $10,000.

“Lazada is, first and foremost, looking for vulnerabilities that could affect their customers’ privacy,” said YesWeHack.

Lazada is also looking for bugs that affect its business integrity or continuity, “although, any flaw that could demonstrate a direct impact on their security and their users would be handled with due consideration”.


Read more of the latest bug bounty news


Franck Vervial, head of cyber defense at Lazada, said: “By launching this latest public bug bounty program, we are sending a clear message to everyone, that we value the importance of data in our possession.

“We believe in the expertise of the YesWeHack community and are excited to continue to work with ethical hackers in identifying new attack methods and countering them.

“This is about protecting our data, protecting our employees, and protecting our customers against vulnerabilities.”


YOU MAY ALSO LIKE US government launches first VDP for federal civilian agencies