As a young, technology driven organization, we’ve known from the beginning how important it is for our security team to utilize the best products and resources, both internally and externally in order to commit to the highest standard of product security. “Our biggest asset at Jet is our members’ trust, so we take protection of their data very seriously. Everyone at the company, from the security engineers, to the marketing people, to the Jet Heads in the call center is aware that keeping that trust is a paramount concern,” said Mike Hanrahan, CTO of Jet.com. To that end, we’ve diligently secured customer data, worked with multiple third party security vendors, and have more recently, tapped into the largest crowd of security experts in the world.
Starting in February 2015 when we launched our first private bug bounty program with Bugcrowd, we’ve seen the value in leveraging the skills and techniques of ethical hackers. We started off with a small private crowd, and worked our way to a public program in June 2015. In that time, we have rewarded 97 security vulnerabilities through the Bugcrowd platform, including some pretty obscure bugs that many pen testers and automated scanners would have overlooked.
In the past year we have learned loads from the crowd, how to improve secure coding practices, and have optimized our vulnerability remediation process. Having this constant feedback channel is invaluable. At first this feedback was overwhelming and admittedly it took us some time to address the submitted issues. Today we generally look at all new submissions the same day as they are reported and prioritize and resolve accordingly. We’ve gotten a lot of value from the types of findings users have submitted, which is why we’re both expanding the scope that researchers can test against, and increasing our reward range. Our scope will now include our mobile applications, and we are increasing our maximum reward from 15,000 so as to attract more of the world’s top security talent, and express our commitment to the security research community.
View our full program brief here, which now includes our mobile applications.