Show HN: Bugbop – a smaller bug bounty platform
bugbop.comHi HN!
I created Bugbop over the last year now I'm officially releasing it! It’s a platform for teams that want to run their first bug bounty without expensive contracts. I come from a SaaS technical founder background where I ran our program for years. Now I've decided to make something better suited to that niche.
The model is simple: only pay when valid vulnerabilities are found. No ongoing subscriptions. Set budgets to avoid going over. The app's still in the early days but it's working: security bugs are getting paid and bug hunters are getting bounties.
It's using AI to review check if it's in scope, detect duplicates, and set severity (the app doesn't ask reporters because everyone just says "Critical").
I’m interested in feedback from people who’ve run bug bounties, stopped running them, or considered them and decided against it. We’ve been operating a public bug bounty program on this platform as part of an early rollout, and overall it’s been a solid experience. What’s worked well for us
Cost structure makes sense for smaller products. We explored some of the bigger players, but running an open program there wasn’t really viable for a company our size. No subscription overhead. There aren’t ongoing monthly fees — you just top up credits and those funds stay available for bounty payouts. Fewer low-value submissions. You still get the occasional low-quality report, but the volume of noise is noticeably lower compared to what we expected elsewhere. AI-assisted triage is genuinely useful. It makes it quick to sort and prioritise reports without spending unnecessary time on the junk. Fast feedback loop with the team. The founders have been approachable and responsive when we’ve shared ideas or improvement suggestions. Privacy-friendly disclosure approach. There’s no built-in push to publicly publish findings after they’re resolved, which is a plus from the company side. Improvements we’d love to see A private/internal notes area within reports (so teams can leave internal-only comments). More controls around restricting participation based on geography. The ability to invite or allowlist specific researchers/hunters. Internal notes, yep. Will do this month :-) Making the program "restricted" will mean that bug hunters have to apply (and do KYC if you turn that on). You'll be able to do what you propose but it'll also increase friction vs having submissions fully public. What makes this different to Hackerone or better yet, privately sending bounties to hackers off platform bypassing the fee? Or someone else cloning the same thing as Bugbop with AI and undercutting it or making it free? What is the actual indisputable USP of your solution? Fair questions. The main differentiator to HackerOne is price and lower commitment (i.e. contracts). It's also a lot simpler in the UI as it's not chasing the big end of town and uses AI in a more integrated way. That said, Bugbop isn’t trying to replace HackerOne. It’s built for teams that won’t run a bug bounty otherwise. Bypassing can be a problem but paying people overseas (and KYC) can be quite annoying. There's also less credibility without a 3rd party proving the bounties exist. "Someone can copy you" was never going to be a moat. There's a lot more to a company than just the technical build. I'll just have to stay better than them :-) I've priced Bugbop very competitively and making it free will be difficult with the payment processing fees. Indisputable USP? That's hard. I think Bugbop is fairly unique in that it's a passion project of a long-time bug bounty program runner. I love this stuff and I'm happy to have a founder-to-founder calls about what bug bounty looks like in practice. Happy to answer any questions or just talk bug bounty/disclosure. I love both economics and security. Bug bounty sits at the intersection of these two. <script>alert(1)</script> Hi