Jet.com takes security seriously. One of the first major retailers to launch a bug bounty program more than two years ago, Jet.com began with a private bug bounty program, harnessing a small, curated group of Bugcrowd researchers before launching its public program to the full crowd just four months later.
The results speak for themselves. In the last two years, Jet has rewarded 171 security vulnerabilities through the Bugcrowd platform, many of which were missed by scanners and penetration testers.
But as a security leader, Jet.com understands that to optimize their vulnerability assessment program, they need to continue drawing the best, most creative researchers to their program and reward them for finding the most critical vulnerabilities. That’s why Jet.com has increased rewards for mobile vulnerabilities, adding a 25% incentive for vulnerabilities discovered on mobile targets.
“The security and privacy of our customers’ and partners’ data is paramount to Jet’s success,” said Eran Feigenbaum, CISO at Jet.com. “With the vast influx of mobile devices and users utilizing our services identifying vulnerabilities early is more important than ever. We want to encourage the mobile research community to take an extensive look at our products. Here at Jet, we feel that security should be a close partnership between our information security engineers and the security research community, something our bounty program with Bugcrowd helps facilitate.”
With rewards ranging from $100 – $15,000, Jet.com has already created a competitive scope and reward model. By adding the mobile incentive, Jet.com has demonstrated that they understand the nuances involved in making a program truly effective. This isn’t the first time Jet.com has increased rewards — just last year they announced they were adding mobile applications to their scope and increasing their maximum reward from $2,500 to $15,000 to “attract more of the world’s top security talent, and express our commitment to the security research community.”
As the market matures, more organizations are implementing a crawl, walk, run approach to vulnerability pricing. Of the hundred of programs we’ve managed, we’ve seen a clear trend of companies initially launching private programs, taking those programs public, then increasing rewards. At Bugcrowd, we are committed to building and maintaining healthy relationships between the organizations running crowdsourced security programs, as well as the security research community. This is why we set the market’s first rate for security vulnerabilities with our ‘Defensive Vulnerability Pricing Model’.
Informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, the resulting pricing model is a much clearer picture of what a bug’s worth and an ecosystem that benefits the builders and the breakers.