COMFY paid 200 thousand hryvnias to a white hat hacker for discovering a critical vulnerability
COMFY became one of the first Ukrainian retail chains to support ethical hacking in practice. The company officially paid out 200,000 hryvnias to white hacker Vadym Savchenko for discovering a critical vulnerability in the online store’s bonus accrual system.
Savchenko sent a message about the problem through the contact center. It was about the possibility of receiving bonuses multiple times within the marketing campaign, which created a threat of uncontrolled accumulation of funds in the bonus account.
After a technical analysis, COMFY confirmed the presence of the vulnerability, assessed the possible financial consequences in case of abuse, and promptly fixed the problem. The situation revealed shortcomings in the existing monitoring system, which, in turn, proved the need to improve internal control.
The decision to pay a reward of 200,000 hryvnias was made as a thank you for the responsible notification. This was the first example of this kind for COMFY and one of the few public cases of payment within the framework of the bug bounty program among Ukrainian retailers. Vadym Savchenko, who has a professional background in IT and cyber security, explained that he felt it was important to contribute to the security of the business during the war, which is why he immediately contacted the company after discovering the flaws.
As a reminder, in 2018, COMFY publicly declared its support for ethical hacking, placing a special invitation file for security researchers on its server and specifying channels for responsible disclosure of vulnerabilities. The current case was a logical continuation of this initiative.
