Zomato Has Paid Out Over INR 70 Lakh As Bug Bounty To Developers

Gurugram-based foodtech unicorn Zomato has been paying off hackers who have responsibly disclosed bugs with the company’s platform.

An IANS report has cited HackerOne statistics to say that Zomato has paid more than $100K (over INR 70 Lakh) to 435 hackers till date for finding and fixing bugs on its platform. It said that  $12,350 (over INR 8.7 Lakh) in bounties have been paid in the last 90 days.

How Zomato Tackles Security Bugs?

The report said that since July 2017, Zomato has been using HackerOne’s bug bounty programme and has successfully resolved 775 vulnerabilities report. HackerOne claimed that the Zomato security team is tasked with protecting sensitive information for over 55 Mn unique monthly visitors.

The report showed that for the critical bug discovery on its platform, Zomato pays $2,000 to security researchers, $700 for bugs with high-severity impact, $300 for medium and $150 for low-impact vulnerabilities.

The concerns for user safety at blog gained prominence when in May 2017, hackers broke into Zomato, stealing email addresses and hashed passwords of nearly 17 Mn registered users. At the time, Zomato had said that no payment information or credit card data was stolen or leaked.

It had reset the passwords for all affected users and logged them out of the app and website. According to the company, it takes security seriously.

“We’re committed to protecting our community. If you are a security researcher or expert, and believe you’ve identified security-related issues with Zomato’s website or apps, we would appreciate you disclosing it to us responsibly,” the company said.

“The scope of issues is limited to technical vulnerabilities in the Zomato website or mobile apps. Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of Zomato through DoS attacks or spam,” Zomato reportedly told security researchers.

What Is Happening At Zomato?

In terms of numbers, Zomato recorded a 225% rise in revenue in the first half of FY2020. According to the company’s biannual report, it has registered $205 Mn in revenue, compared to $63 Mn in the first half of last year.

The report also mentioned that there has been a 40% decline in Zomato’s EBITDA (earnings before interest, tax, depreciation and amortization) loss from March to September 2019. The company has also pointed out that its monthly burn rate, which measures the rate at which a company is losing money, is down by 60%.

In the H1FY20, the food aggregator and delivery startup has around 119K restaurants, compared to 43K last year.

Over the last few months, Zomato has been through #logout campaign, discontinuing infinity dining service, altering rules and extending the benefits of Zomato Gold, and multiple rounds of layoffs, and protests from delivery partners.

Cybersecurity Concerns At Internet Companies

In the day and age of data security and concerns costing billions to tech giants such as Facebook, the security breach instances haven’t stopped.

In September, Uber fixed a hacking bug found by Indian cybersecurity researcher Anand Prakash and paid him a bounty of $6,500. Prakash told Inc42 that the bug allowed hackers to log into anyone’s Uber account.

In August, Chennai-based security researcher Laxman Muthiyah found a bug in the Facebook-owned Instagram, which allowed anyone to hack the popular photo-sharing social networking service. The revelation came barely a month after reporting a similar flaw on Instagram.

India has been the second most cyberattacks affected country between 2016 to 2018, according to a new Data Security Council of India (DSCI) report. Further, the average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record amounting to INR 4,552 ($64).

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.