Bug bounty programs that fit your team

Enterprise bug bounties don't scale down

HackerOne and Bugcrowd are designed for companies running large, continuous programs with dedicated security teams. Their pricing reflects that. For a 20-person startup or a growth-stage team with a single security engineer, the math does not work. You either pay enterprise rates for a fraction of the capacity, or you skip bug bounties entirely.

That gap means real vulnerabilities go unreported. Not because researchers are not interested, but because there is no reasonable way to run the program.

A simpler model

Create a bug bounty pool. Define your program scope — what is in bounds, what is not. Set budgets per severity level. Researchers join your pool, find vulnerabilities, and submit proof through the platform. You review submissions, approve valid findings, and escrow handles the payout.

No triage team required. No minimum contract. No per-seat licensing. You run the program directly, with the tooling to do it properly.

What you get

• Severity-based milestones — define payout tiers for critical, high, medium, low, and informational findings. Researchers see the bounty table up front.
• Proof submission — researchers submit reproduction steps, screenshots, videos, and affected endpoints. You review in one place.
• Escrow payouts — funds are held in escrow and released when you approve a finding. No invoices, no manual bank transfers.
• Reputation tracking — every researcher builds a score based on finding quality, accuracy, and responsiveness. Higher scores surface better researchers.
• Pool chat — coordinate with researchers, clarify scope questions, and discuss findings in a built-in group channel.
• Enrollment caps — control how many researchers can join your program. Start small, expand when ready.

Right-sized security testing

A startup shipping its first public release needs different coverage than a company with a mature security team. Tewdy Pools does not assume you have a dedicated AppSec org. It gives you the structure to run a real bug bounty program — severity tiers, proof workflows, escrow — without requiring the infrastructure that enterprise platforms take for granted.

Start with a small pool and a modest budget. As your attack surface grows, expand the program. The tooling scales with you instead of pricing you out at the start.

Frequently asked questions

How is this different from HackerOne or Bugcrowd?

Those platforms are built for enterprises running large, ongoing programs with thousands of researchers. Tewdy Pools gives you the same core workflow — severity tiers, proof submission, escrow — without the enterprise contract, triage team overhead, or minimum spend.

Who can join my bug bounty pool?

Anyone with a Tewdy account. You control enrollment: set caps on pool size, require a screening questionnaire, or invite specific researchers directly. Every participant carries a reputation score across all pools they join.

How do payouts work?

You set a budget per severity level when you create your program. When a researcher submits valid proof and you approve it, the payout is released from escrow. No invoicing, no manual transfers.

Can I set different bounty amounts for different severity levels?

Yes. You define milestones per severity tier — critical, high, medium, low, informational — each with its own payout amount. Researchers see the bounty table before they start.

What counts as valid proof?

You define what proof looks like in your program scope. Common requirements include reproduction steps, screenshots, video recordings, and affected endpoints. Researchers submit proof through the platform, and you approve or request changes.

Is there a minimum budget to start a program?

No. You set your own budget per severity level. If you want to start with $50 for low-severity findings and scale up later, that works. The platform does not impose minimums.