ConfPad

This session will build on Shopify's 2017 Year in Review bug bounty blog post and dive into the details of running one of the most successful and responsive public programs on HackerOne. To date, the Shopify bug bounty program has resolved 489 reports from 301 hackers, after having operated an independent bounty program for two years. Offering one of the highest minimum bounties on the platform makes Shopify an attractive target for hackers of all skill levels. This creates an additional workload, particularly having to respond to invalid reports and help new hackers level up. Despite that, Shopify continues to exceed HackerOne SLA requirements and is steadily building awesome relationships with top level hackers. In this session, we'll discuss how to run a successful bounty program that complements existing security strategies, why it's important to proactively disclose reports publicly and what hackers look for from a bounty program to keep them working on your program.