The first “Bug Bounty” in cannabis.
Earlier this year, a breach known as The Great Cannabis Hack exposed the personal data of more than 380,000 cannabis consumers across North America. The attack, first reported by Forbes cybersecurity writer Davey Winder, targeted several third-party software vendors that power online ordering and loyalty platforms for dispensaries.
According to Winder’s investigation, the leaked databases included names, emails, phone numbers, and purchase histories, many linked to verified customer accounts and loyalty programs. Though no payment data was exposed, the breach illustrated how much sensitive information is stored across cannabis tech systems — and how little visibility most consumers have into how that data is managed.
For regulators and retailers alike, it was a wake-up call. Cannabis companies have built digital infrastructures that rival those of mainstream retailers, but few have developed the same security culture.
Now Sweed, one of the leading retail-tech platforms in the industry, is trying to change that dynamic by launching cannabis’s first Bug Bounty program — a formal invitation for ethical hackers to test its defenses before criminals do.
A New Kind of Security Test
Announced November 10 and hosted on HackenProof, the initiative invites vetted security researchers from around the world to probe Sweed’s core web infrastructure.
The company will pay up to $2,000 for verified vulnerabilities, depending on their severity, following the same CVSS (Common Vulnerability Scoring System) standards used in mainstream tech.
All testing must stay within the defined scope and avoid disrupting live operations, but researchers are otherwise encouraged to “hack away.”
“Trust is earned, and by welcoming the security community into our process, we’re building software that grows stronger with every test,” said Rocco Del Priore, Sweed’s co-founder and CTO. “The Bug Bounty program helps us identify and fix potential vulnerabilities before they become issues — and, most importantly, reaffirm the customer trust that Sweed is known for.”
Sweed’s platform powers point-of-sale, e-commerce, and marketing systems for dispensaries and multi-location operators. Those services handle vast amounts of personal and regulatory data, making them attractive targets for attackers. The bounty program transforms that vulnerability into a continuous, collaborative audit — a way to test the system in real time.
Borrowing From Big Tech
Bug bounty programs are standard practice in Silicon Valley. Google, Meta, and Apple have paid millions to “white-hat” hackers who disclose flaws responsibly. Even the U.S. Department of Defense runs Hack the Pentagon.
Cannabis, by contrast, has mostly relied on closed-system audits and private security contracts. Sweed’s move is an innovation. That shift could prove timely. The 2025 breach happened as one compromised vendor exposed customer data from multiple dispensaries, cascading through API connections that few retailers even knew existed.
With no federal cybersecurity standard in the United States, cannabis companies operate in a fragmented patchwork of state rules. Some jurisdictions require encryption and breach reporting; others don’t mention digital security at all.
With no federal cybersecurity standards, operators are left to make their own judgment calls — balancing cost, compliance, and risk. Sweed’s Bug Bounty reframes that challenge as an opportunity: instead of waiting for regulators to demand audits, the company is publishing its own test.
“Dispensaries can’t afford downtime, data leaks, or compliance gaps,” Sweed’s statement reads. “The Bug Bounty helps ensure a more stable, resilient platform so operators can focus on growing their business, not fighting fires.”
Prevention is cheaper than recovery and far better for reputation.
The Bug Bounty operates under defined ethical parameters. All testing must be conducted within Sweed’s approved digital assets listed on HackenProof, with no impact on live systems or real user data.
Researchers must follow responsible disclosure policies, maintain confidentiality, and report findings directly through the platform.
Photo by Max Bender on Unsplash
