A Bug Bounty Program has helped KOMOJU “validate our security in real-world conditions, revealing how effective controls and mitigations truly are once systems are exposed to real users and environments”.
This is according to Eric Evangelista, who manages the program for KOMOJU, a global payment service. Eric is lead security engineer and cybersecurity and IT team lead at the Tokyo-based company.
In an interview about the Tokyo-based company’s experience with crowdsourced security testing three years into its partnership with YesWeHack, he also discusses, among other things:
- The unsung compliance benefits of Bug Bounty
- How YesWeHack’s platform, attentive support and time-saving triage makes Bug Bounty viable even for organisations with modest security resources
- And that if security researchers from around the world can’t find bugs, “pentesters most likely also won’t”
KOMOJU launched a private program in September 2022. This satisfied YesWeHack customer launched a Vulnerability Disclosure Policy (VDP) through YesWeHack a year later and then launched a public Bug Bounty Program at the start of 2025.
The KOMOJU payment gateway helps businesses facilitate cross-border e-commerce transactions by accepting local payment methods in Asian and European markets, as well as Brazil, through a single, simple integration.
LAUNCH & SCALEUP
Please tell us about your security ethos?
Eric Evangelista: As KOMOJU grew from simplifying payments in Japan to serving merchants worldwide, we recognised very early that security is fundamental to earning and maintaining trust.
Our commitment to securing our customer data and business processes through our applications and responsible practices supports everything we do as a global payment provider.
Why did you launch a Bug Bounty Program (BBP)?
EE: As KOMOJU grew, we realised that, although we had a team committed to following and applying security practices, we didn’t have all the necessary skills to comprehensively test all corners of our solutions. This is what brought us to consider launching the program, and we have never regretted it.
How well has your BBP integrated with your wider security operations?
EE: Thanks to our talented and security-conscious team, the integration was seamless.
We hear from industry experts that having a BBP should only be considered by mature organisations where security operations are concerned. The KOMOJU team decided to take a leap of faith and, although we didn’t have a consolidated security operations team yet, everyone was engaged and determined to make the program work.
When you have a team of talented engineers, security becomes a collective effort. Initially, the challenges were to understand the testing procedures used by the researchers and triagers, but that also gave us an opportunity to learn more about pentesting in general.
YOU MIGHT ALSO LIKE ‘Large amount of knowhow’: Why Thüringer Aufbaubank harnesses Bug Bounty to bolster customer trust
Why did you decide to make the Bug Bounty Program public?
EE: We wanted to have as many hunters as possible testing our solutions.
A private program is great and helped us to gauge our response and load capabilities, and to give us more confidence, as we weren’t sure what to expect in terms of exposure. Some important bugs were discovered in our controlled environment, but we felt that if we really wanted the full picture, we should open up to anyone willing to participate.
Making it public also reduced friction for hunters, by only requiring them to register with YesWeHack. Then they can just create an account in our application and start testing right away.
CRITICAL SECTORS, SECURITY MATURITY
How well does Bug Bounty align with your security needs in a FinTech sector where cyber-attacks can have significant adverse consequences?
EE: Online financial services will always be a target for fraudulent activities, and vulnerabilities are exploited mercilessly. The fact that we can offer an environment in which any YesWeHack hunter can try and find vulnerabilities is an invaluable thing.
Security failures in this domain specifically can damage trust in the service and cause serious problems for our customers and consumers.
Adding to that, we have compliance obligations in our industry, with recurring mandatory pentesting. The Bug Bounty Program helps us be better prepared and meet regulatory requirements ahead of time.
How challenging is Bug Bounty for organisations with limited security resources or a low level of security maturity?
EE: In our view, the size of the scope has a direct relation to how manageable the program is going to be. Having a dedicated team to communicate with hunters and developers can help speed things up, but we kept things very tight, requiring only a couple of hours per month to fully manage the program.
Also, the support a platform offers can offset team shortcomings. Sometimes teams get busier, and that’s fine. We believe most hunters understand that a report may take time to get a response. Some don’t, but this should never discourage you from trying to improve the security of your product, although managing hunters’ expectations is just as important to sustain their engagement over time.
SUPPORT FROM YESWEHACK & HUNTERS
Why did you choose YesWeHack over other platforms?
EE: We reached out to two or three different vendors, and the main factor for our decision was how responsive and knowledgeable their support was. Price was also an important component due to the budget allocated for this experience.
With YesWeHack we got great support from the entire team, the quality never dropped, and they keep making new features and improving the overall platform experience. The support team is not only marketing; they understand the whole application security operation.
How useful has support from your dedicated customer success manager (CSM) been?
EE: The CSM team has been nothing short than great. They are always ready to give us support, showing new ways to do things, demonstrating new features or communicating with triagers and hunters.
When we were ready to go public, we got all the necessary support and that increased our confidence.
Has outsourcing triaging to YesWeHack’s dedicated team proven to be a wise move?
EE: Honestly, it feels like the triage team is part of KOMOJU itself. They will only assign a bug to us after thorough verification, not only if the bug can be reproduced or makes sense but also if it’s within scope.
This saves us so much time. Outsourcing triage to an effective, in-house team is vital for organisations without mature security operations. The team at YesWeHack makes our work easier.
And how productive are your interactions with hunters?
EE: YesWeHack’s triagers take out a lot of the cognitive load necessary to communicate with different hunters, but when we have to, most of the interactions are professional and to the point.
Their reports are, for the most part, easy to follow and enlightening. But when this is not the case, the triage team comes to the rescue.
COMPLEMENTING OTHER SECURITY TESTING MECHANISMS
In what ways is Bug Bounty distinct from pentesting?
EE: Pentesting covered our compliance needs, but we wanted to go beyond the minimum requirements. Whereas scaling traditional pentests was time-consuming for our teams, Bug Bounty has proved efficient at expanding our testing scope – and strengthening our security posture – without adding much overhead.
Some organisations have in-house pentesters who can continuously test applications. While we’re not there yet in terms of team size and prioritisation, we believe that Bug Bounty brings the continuous improvement element to security testing.
Whether you provide a black- or white-box testing environment, we can continuously test for known and new vulnerabilities alike. The downside is, we can’t provide access to infrastructure in the program, which requires NDAs and a contract.
How does Bug Bounty fit with a multilayered testing strategy?
EE: We believe that a BBP fits into every stage of a running application.
Pentesters under a contract will always have a bit of an advantage over a BBP due to the access we provide to infrastructure.
However, when we have our mandatory annual pentest, we feel prepared. We are confident that if the YesWeHack hunters didn’t find a bug, the pentesters most likely also won’t.
The Bug Bounty Program helps us validate our security in real-world conditions, revealing how effective controls and mitigations truly are once systems are exposed to real users and environments.
TIPS FOR CISOs
Do you have any advice for your peers on launching, configuring or scaling up programs?
EE: Each company has its own risk appetite and requirements, but what worked for us was taking small, deliberate steps.
We started with a focused scope on high-impact applications, in a controlled environment with a few invited hunters. This helped us understand the workload, the nature of findings, and how the platform supports program operations.
From there, we gradually expanded scope and included new features before production releases. Making testing straightforward, while being clear about out-of-bounds areas, is very important.
Finally, organisational support is fundamental: our CTO was totally behind this project, and even helped operationalise the program, which helped with the buy-in from developers!
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
Are you a hunter? Check out KOMOJU’s public Bug Bounty Program for further details on rules, rewards and scopes.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
