Making the program "restricted" will mean that bug hunters have to apply (and do KYC if you turn that on). You'll be able to do what you propose but it'll also increase friction vs having submissions fully public.
The main differentiator to HackerOne is price and lower commitment (i.e. contracts). It's also a lot simpler in the UI as it's not chasing the big end of town and uses AI in a more integrated way. That said, Bugbop isn’t trying to replace HackerOne. It’s built for teams that won’t run a bug bounty otherwise.
Bypassing can be a problem but paying people overseas (and KYC) can be quite annoying. There's also less credibility without a 3rd party proving the bounties exist.
"Someone can copy you" was never going to be a moat. There's a lot more to a company than just the technical build. I'll just have to stay better than them :-)
I've priced Bugbop very competitively and making it free will be difficult with the payment processing fees.
Indisputable USP? That's hard. I think Bugbop is fairly unique in that it's a passion project of a long-time bug bounty program runner. I love this stuff and I'm happy to have a founder-to-founder calls about what bug bounty looks like in practice.
Happy to answer any questions or just talk bug bounty/disclosure. I love both economics and security. Bug bounty sits at the intersection of these two.
All. That's the issue they've got. It looks like we're going to have to hide it for anyone that comes in via the App Store.
Another problem is we've got 4 products and only one is listed on the Shopify app store. If they log in via product A's listing then buy product B, it seems we must use Shopify's billing for that too.
These aren't purchases via their app store (I don't know if you can even do that?). They're within our webapp using Shopify's billing API to buy stuff. The Shopify integration is just used for discovery (via their app store), login, installation, email integration, and of course billing.
Nah, we've had Stripe since 2013. Added Shopify billing in 2016 (which was a nightmare using their old API). We'll be too small for an exemption/wire transfer method.
Making the program "restricted" will mean that bug hunters have to apply (and do KYC if you turn that on). You'll be able to do what you propose but it'll also increase friction vs having submissions fully public.