DEV Community

Cover image for 200 reports, 11 valid bugs, 0 critical issues. Why our HackerOne VDP was still worth it
is*hosting
is*hosting

Posted on

200 reports, 11 valid bugs, 0 critical issues. Why our HackerOne VDP was still worth it

#bugbounty #hackerone #cybersecurity #infosec

In July 2024, we launched a Vulnerability Disclosure Program (VDP) on HackerOne.

Customers and researchers were already reporting bugs informally. So, we needed a proper channel.

So we set it up. First as a private program, then public.

What it brought us

Over a year: 200 reports → 11 valid → 0 critical

And yet, it was worth it.

We fixed minor, mostly theoretical issues, making our systems more predictable and processes sharper.

Reports stopped landing in the support chat and were directed through a single channel, providing developers with the right context from day one.

HackerOne’s Triage was essential: most reports were low-effort or AI-generated. Without it, we’d have wasted time on noise.

What didn’t happen

We didn’t find any serious vulnerabilities. 

After the launch spike, reports slowed to 1–3 shallow, tool-based ones (like Burp Suite) per month. Once the low-hanging fruit was gone, nothing new appeared.

Why we stopped paying

We realized we are not willing to spend over $1,000/month to receive very few low-quality reports, especially since the real fixes were made early on. The subscription did its job.

We now run a simpler VDP on our site with a clear form and basic rules. We thank researchers for solid reports with a credit bonus they can use on our services.

But wait, weren’t we expecting real research?

It would be naive to expect a full-on security audit from volunteers. We don’t blame researchers for low-effort reports. Public VDPs are built that way.

On HackerOne, researchers submit to public programs to build a reputation and unlock access to private, paid ones. That means volume over quality.

That’s why we don’t recommend starting with bug bounties. You’ll mostly get noise, and without a dedicated security team and budget, it’s easy to get overwhelmed.

Have you ever heard of “high-quality reports in the first 48 hours”? We didn’t see that at all.

What we’d tell others

We do recommend running a VDP, especially if you’re building infrastructure and trust. But we’d suggest starting with:

  • A clear, safe disclosure channel (self-hosted or embedded from a platform)

  • A triage buffer, if you open it up publicly to sort out the first reports spike

  • No monetary rewards unless you’re ready to manage the attention that follows

Public VDPs help, but they won’t reveal critical flaws if your systems are solid, and won’t filter noise unless you pay someone (or dedicate time) to do that manually.

In our case, we confirmed what we hoped: our infrastructure is resilient, our approach works, and our customers can trust the platform they’re using.

One more thing

When we were considering HackerOne, we couldn't find stories like this. There were landing pages, vague claims, and many hacker success stories. Is there some secret place where companies share their side of bug bounty?

If you're in the same place now, deciding how to approach security disclosure and whether it's worth the time and money, we hope this helps.

This story was first published on LinkedIn.

Top comments (0)