RSS

I shut down my bug bounty program after three months

ElixirMentor1 pts0 comments

Why I shut down my bug bounty program after three months — K<br>- Killswitch

Blog

Home

Blog

Why I shut down my bug bounty program after three months

I launched Killswitch at the start of 2026 with a bug bounty program. A zero-knowledge service is supposed to be trustworthy, and a public bounty page felt like part of the price of admission. Three months later I shut it down — torched the page, scrubbed every mention from anything Google can index, and rewrote our policy so active security testing is restricted to paying customers.

This post is what I would tell another solo founder before they make the same call I did.

The structural shift

The framing that reframed this for me came from Michael Lubas, CEO of Paraxial.io, who I had back on the Elixir Mentor Podcast a few weeks before publishing this. Michael does penetration testing for a living — Paraxial was one of the firms hired to pentest the Hex package manager — and partway through the episode he started talking about the state of bug bounty programs in 2026.

His one-liner on the show: "defensive cyber security people, bug bounty programs are shutting down. People are saying we just don't have the resources to handle this volume." The Internet Bug Bounty program shut down. Node.js shut down theirs. The list keeps getting longer.

The numbers he shared are the part worth keeping in your head. The Erlang Ecosystem Foundation issued nine CVEs total in 2025. In 2026, they're on track for well over a hundred, possibly over two hundred. Firefox went from an average of roughly twenty valid bug reports a month in 2025 to over four hundred in a single month — April 2026. As Michael put it: those bugs already existed in the source code. The bottleneck was finding them, and AI just blew the bottleneck out of the water.

If you're a solo founder reading this, that's the part that matters. The firehose of reports landing in your inbox is not a comment on your product. It's a structural shift in the cost of vulnerability discovery, and your bounty page is just downstream of it. The mental model of "more eyes = better security" assumed a fixed supply of eyes. That assumption is gone.

The full conversation — including why Michael thinks AI is also good news for defenders, what it means for Elixir specifically, and his strong recommendation that maintainers run zizmor against their GitHub Actions — is on Elixir Mentor Podcast episode 83.

What actually landed in my inbox

Within a few weeks of launch, a meaningful chunk of my inbound was beg-bounty hunters running checklists against the site, plus the bots they were running to find the bounty page in the first place. Real humans evaluating the product were getting drowned out.

The reports followed a template: a generic web checklist run against any SaaS settings page, packaged with a CVSS vector string, OWASP categories, "Business Impact" subsections about regulatory exposure and PR risk, and a screenshot. CVSS scores of 7-and-up on findings that were either UX choices or not findings at all. The volume model is what makes the genre work — send a hundred, get one acknowledgment, screenshot it for credibility, repeat. My inbox was the destination, not the point.

The thread that made the lesson concrete

The clearest version of the pattern came in on a Saturday in March. Subject line: "Bug Report 1 !". Body about 1,400 words, all the right vocabulary, a CVSS v3.1 score of 8.8 rated "High." The underlying claim was a UX hardening suggestion — the kind of thing you find by scanning a settings page with a checklist. Over the next 48 hours, before I had replied, the same address sent five follow-ups, the earliest at 2:58 AM my time.

On Monday I replied once, clearly: this isn't a vulnerability under our policy, here's the threat model, this is our final response. The pushback arrived in three messages over five minutes — OWASP recommendations, Bugcrowd's Vulnerability Rating Taxonomy, a screenshot of a VRT page, none of it addressing the actual threat model. I replied a second time and named the policy.

Four minutes later, the tone changed:

After i reported Then you add this in Our of scope! So it not professionality! I'm waiting for your reply otherwise i will make Good post about Your fruad & scam! Post on linkedin & twitter!!

This is the moment worth naming, because it's also the moment that decides what kind of program you're really running. There was no specific number attached, no Bitcoin address, no "Venmo me and this goes away." Just an implied trade — agree this is a vulnerability, or I post about your fraud. It's a softer extortion than a ransom demand, but it's the same shape: a threat of reputational damage conditioned on you giving up something you don't think they're owed.

Two more follow-ups arrived. I did not respond. They never posted.

Why I could afford to call the bluff

Killswitch is built on the same architectural pattern as 1Password. Private files are zero-knowledge — encrypted in the...

bounty down page shut program three

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.