Case Study: PullString achieves a secure, successful IoT launch with HackerOne

How PullString Makes IoT Safer

PullString (originally ToyTalk) builds a realtime conversational platform for interactive toys and other IoT products—most notably the Hello Barbie experience—and faced the dual challenge of delivering fast, responsive APIs while protecting children’s privacy under strict COPPA requirements. Because connected toys both collect sensitive data and rely on embedded hardware and realtime services, PullString embraced security-by-design, knowing vulnerabilities would be inevitable as they pushed the category’s technical boundaries.

To harden their platform they ran a HackerOne bug bounty program, first privately (handling 18 reports in 4 days) and then publicly (223 reports in 3 days), engaging 57 independent hackers who identified 62 potential vulnerabilities in the first month. PullString’s engineering team triaged and fixed issues rapidly, paid bounties for 98% of valid high-quality reports, drove reports down to under five per month thereafter, and achieved one of HackerOne’s most successful launches—strengthening both product security and regulatory readiness.

PullString

Martin Reddy

Cofounder and CTO