Mercado Libre’s Journey to a Public Bug Bounty Program

Six years ago, we implemented two private programs in collaboration with HackerOne, to ensure we maintained the highest security standards for our growing digital landscape, including a vulnerability disclosure program and our bug bounty program in collaboration with HackerOne. At that time, we had a small team, a limited budget, and no real experience in handling such a program. As a result, we chose to start with an invitation-only approach. Since then, our three primary annual OKRs have been:

  • To double the number of active researchers (those with at least one valid medium/high/critical impact report).
  • To continuously expand our eligible scope in a structured and constant manner.
  • To have a healthy response efficiency, especially “time to bounty” and “time to

We also keep a close watch on a secondary OKR that pertains to the number of reported high/critical vulnerabilities. Since 2018, we’ve got some interesting insights.

Thank You For Your Interest

    If you engage with the content, Enterprise Guide will share your data with HackerOne. For details on their information practices and how to unsubscribe, see their Privacy Statement. You can unsubscribe at any time.

    You have been directed to this site by DemandBytes. For more details on our information practices, please see our Privacy Policy, and by accessing this content you agree to our Terms of Use. You can unsubscribe at any time.