Boosting E-Commerce Security: PrestaShop's Success with YesWeHack's Public Bug Bounty Program

July 23, 2020

After a few months on a private bug bounty program, PrestaShop opens up to the entire YesWeHack community. Check out the following interview with Pierre Rambaud, Senior Core Developer at PrestaShop to understand what motivated this leap forward.

Tell us a bit about PrestaShop and your role within the company.

PrestaShop is an open-source eCommerce solution, written in PHP, with significant customisation capabilities. It is currently used by 300,000 shops worldwide and is available in 75 different languages. I work in the Core Team as a maintainer and I take care of security matters both for the open-source project and for the company.

Why did you launch a bug bounty program?

Our main reason for launching a bug bounty program was to improve security testing for the project. It helps uncover more unknown vulnerabilities and implement better security practices. It also provides a private channel for vulnerability reporting. We already had a security email address, however the bug bounty will encourage more people to report issues because of the reward. We will benefit from YesWeHack visibility to attract more security researchers to our project.

A bug bounty program is also a reliability indicator and proof we treat security seriously. It will help us gain the trust of customers and partners.

How does bug bounty add value to an open-source application?

Bug bounty is the ideal solution for improving the security of an application (open source or otherwise). In our case, the bug bounty program will increase both the software security and users’ trust because it is public.

You are now expanding your private program into a public one. What motivated this choice?

Opening the program to the public was always our goal because this is an open-source project. It wouldn’t make sense to keep the program private for too long. Having a private program has allowed us to lift our platform to a higher standard, to correct multiple vulnerabilities, and to define more precisely the scope of our program and its rules. Today, we are ready to open it to the public and say confidently that PrestaShop is properly secure.

Any tip for companies thinking about launching a bug bounty program?

The recent number of incidents where attackers were able to steal data from software companies proves that a bug bounty is now vital. We owe it to PrestaShop users to put application security as the number one priority.

It is obvious that this program has a cost: not only money but also the time dedicated to reports and patching the issues. People whose source code is not disclosed may have the impression that they are safe and nothing can happen to them, as the code is not public. This of course is wrong. It will save your reputation and your money. The program will actually cost less than you may think, as it will prevent breaches from happening.

Auditing your infrastructure or your application is fine, but it’s all constantly evolving. The advantage of a bug bounty program is that it will attract different hunters, with different skills, which will significantly increase the possibility of identifying vulnerabilities.

Lastly, a bug bounty will try different types of attacks against your system. An audit will only be performed by a single entity.