A lightweight bug-bounty program that fits how Indian SaaS startups actually operate — running on top of your automated VAPT, sized to your runway, payouts in INR, triage handled by the Bachao.AI team. No enterprise platform minimum, no 12-month commitment, no "contact us for pricing" wall.
Responsible disclosure policy hosted at /security (aligned to CERT-In + DPDP)
Triage workflow — Bachao.AI team filters duplicates, false positives, and out-of-scope reports
Payout tracker — every approved finding tracked with severity, payout, and reporter handle
INR-denominated payouts via NEFT/IMPS; international wire for foreign researchers
Quarterly program review with the founder
Optional public hall-of-fame for top researchers
Why bug bounty matters even with automated VAPT
AI-orchestrated automated VAPT catches the OWASP Top 10 + API Top 10 + business-logic + auth-flow surface excellently — but human researchers still beat AI at chained logic flaws, social-engineering-adjacent vectors, and creative misuse of trusted features. A small bounty program is the highest-leverage way to surface these without retaining an in-house red team. The goal isn't to replace VAPT — it's to layer human creativity on top of automated coverage.
How the engagement works
Day 1: scope confirmed, /security page drafted, payout matrix agreed (severity → payout band). Day 2-3: policy published, program announced (typically a LinkedIn post + Twitter post + responsible-disclosure listing). Ongoing: researchers submit via the disclosed channel; Bachao.AI triages, you approve payouts via dashboard; we wire the payout within 7 working days. Quarterly: program review, payout matrix revision if signal is too noisy or too quiet.
Pricing — pay for findings, not for retainer
Scope-based, not seat-based. Setup fee covers policy drafting + initial triage scaffolding; severity-tiered payouts flow per valid finding, with the per-finding rate aligned to your risk appetite (typical range: critical findings paid in low-five-figures INR, high in mid-four-figures, medium in three-figures). Total program cost scales with the rate of valid findings — which is good for your CFO and aligned with security outcomes.
Get started
Click Talk to founder. We'll draft the responsible-disclosure policy, agree the payout matrix, and have your program live within 5 working days. Free first VAPT scan included before the bounty program goes live — to make sure you're not getting flooded with findings the scanner would have caught.
Run a bug bounty without the enterprise platform tax
Lightweight, India-tier, INR-denominated bounty layer on top of your automated VAPT.