Show HN: Bugbop – a smaller bug bounty platform(bugbop.com)
1 pointby ponny3 hours ago3 comments
  • foundrr-rkdvan hour ago
    We’ve been operating a public bug bounty program on this platform as part of an early rollout, and overall it’s been a solid experience.

    What’s worked well for us Cost structure makes sense for smaller products. We explored some of the bigger players, but running an open program there wasn’t really viable for a company our size.

    No subscription overhead. There aren’t ongoing monthly fees — you just top up credits and those funds stay available for bounty payouts.

    Fewer low-value submissions. You still get the occasional low-quality report, but the volume of noise is noticeably lower compared to what we expected elsewhere.

    AI-assisted triage is genuinely useful. It makes it quick to sort and prioritise reports without spending unnecessary time on the junk.

    Fast feedback loop with the team. The founders have been approachable and responsive when we’ve shared ideas or improvement suggestions.

    Privacy-friendly disclosure approach. There’s no built-in push to publicly publish findings after they’re resolved, which is a plus from the company side.

    Improvements we’d love to see

    A private/internal notes area within reports (so teams can leave internal-only comments).

    More controls around restricting participation based on geography.

    The ability to invite or allowlist specific researchers/hunters.

    • ponny2 minutes ago
      Internal notes, yep. Will do this month :-)

      Making the program "restricted" will mean that bug hunters have to apply (and do KYC if you turn that on). You'll be able to do what you propose but it'll also increase friction vs having submissions fully public.

  • ponny3 hours ago
    Happy to answer any questions or just talk bug bounty/disclosure. I love both economics and security. Bug bounty sits at the intersection of these two.
  • colesantiago3 hours ago
    What makes this different to Hackerone or better yet, privately sending bounties to hackers off platform bypassing the fee?

    Or someone else cloning the same thing as Bugbop with AI and undercutting it or making it free?

    What is the actual indisputable USP of your solution?

    • ponny2 hours ago
      Fair questions.

      The main differentiator to HackerOne is price and lower commitment (i.e. contracts). It's also a lot simpler in the UI as it's not chasing the big end of town and uses AI in a more integrated way. That said, Bugbop isn’t trying to replace HackerOne. It’s built for teams that won’t run a bug bounty otherwise.

      Bypassing can be a problem but paying people overseas (and KYC) can be quite annoying. There's also less credibility without a 3rd party proving the bounties exist.

      "Someone can copy you" was never going to be a moat. There's a lot more to a company than just the technical build. I'll just have to stay better than them :-)

      I've priced Bugbop very competitively and making it free will be difficult with the payment processing fees.

      Indisputable USP? That's hard. I think Bugbop is fairly unique in that it's a passion project of a long-time bug bounty program runner. I love this stuff and I'm happy to have a founder-to-founder calls about what bug bounty looks like in practice.