| We’ve been operating a public bug bounty program on this platform as part of an early rollout, and overall it’s been a solid experience. What’s worked well for us
Cost structure makes sense for smaller products. We explored some of the bigger players, but running an open program there wasn’t really viable for a company our size. No subscription overhead. There aren’t ongoing monthly fees — you just top up credits and those funds stay available for bounty payouts. Fewer low-value submissions. You still get the occasional low-quality report, but the volume of noise is noticeably lower compared to what we expected elsewhere. AI-assisted triage is genuinely useful. It makes it quick to sort and prioritise reports without spending unnecessary time on the junk. Fast feedback loop with the team. The founders have been approachable and responsive when we’ve shared ideas or improvement suggestions. Privacy-friendly disclosure approach. There’s no built-in push to publicly publish findings after they’re resolved, which is a plus from the company side. Improvements we’d love to see A private/internal notes area within reports (so teams can leave internal-only comments). More controls around restricting participation based on geography. The ability to invite or allowlist specific researchers/hunters. |
Making the program "restricted" will mean that bug hunters have to apply (and do KYC if you turn that on). You'll be able to do what you propose but it'll also increase friction vs having submissions fully public.