Case Study: Mercado Libre launches a public bug bounty program with HackerOne

Mercado Libre’s Journey to a Public Bug Bounty Program

Mercado Libre, the largest online commerce and payments ecosystem in Latin America, faced challenges in scaling its application security to match the speed of its agile development and hundreds of monthly deployments. To meet its security objectives and improve production security, the customer engaged vendor HackerOne to implement a crowdsourced security solution, starting with private bug bounty and vulnerability disclosure programs.

HackerOne provided the platform and services, including HackerOne Bounty, HackerOne Response, and HackerOne Triage, to manage the program. The solution enabled Mercado Libre to tap into a global pool of ethical hackers, leading to significant results. Over five years, the total number of vulnerability reports doubled, the application security team improved its SLA accomplishment for fixing critical bugs by 18% year-over-year, and the program maintained a high response efficiency with a first response time averaging 16 hours. After six years of a successful private program, these outcomes prepared Mercado Libre to confidently launch a public bug bounty program to further expand its security efforts.

Mercado Libre

Alejandro Federico Iacobelli

Application Security Senior Manager