Case Study:
Freelancer Runs Bug Bounty On A Vibecoded App

Overview

For a while, we've been looking for someone to run a bug bounty on a vibecoded app. It's widely reported that these apps have security issues (mass scan, Tea breach, Lovable, GT study). Security of these apps is consistently pushed to the 'later' backlog along with the rewrite. The program found some bugs (but nothing hilarious and/or catastrophic - sorry to disappoint). The main story here is about getting a meaningful pentest based on constraints.

Background

Auto-man Driving School's developer, Deanna "Dee" Bath, is a business analyst and freelance developer who builds web applications using AI-enabled development. She started programming in 1997 with VB6, moved into Business Analyst roles in 2008, and returned to development in March 2025 using AI-assisted tools. She isn't a security specialist, but she knows that shipping software to real clients means security matters.

The Challenge

The project is a booking system for driving lessons. The app is a static frontend hosted on GitHub Pages with Supabase providing authentication, database, and backend services. It's a client-facing platform with user authentication, calendaring, messaging, and an admin portal.

• AI-generated code introduces subtle vulnerabilities that are hard to spot without security expertise
• The app codebase was checked by AI tooling before release but this only offered limited peace of mind
• The platform handles client data - bookings, messages, and contact details
• Security testing feels intimidating for developers who aren't security specialists
• Traditional penetration tests too expensive ($,$$$+) for a relatively small freelance project

Bugbop Solution

Dee was set up with a small program with a little assistance from the Bugbop team:

• Bugbop's Automated Security Scanners automatically found 3 minor issues before human testers even began. Two couldn't be fixed due to the hosted environment but Dee fixed the DMARC settings which also improved the client's mail delivery.
• The program Scope was created based on Bugbop's templates and other requirements (such as only testing during weekdays)
• Strict budget of $500 for bounties (after which, the program would close).
• Two proven bug hunters on the platform were invited to a private program
• Bugbop's AI triage to assist in evaluating bugs and suggesting remediation

This setup meant Dee could focus on fixing issues rather than figuring out what to do about them. The reports were educational enough that she came away with a better understanding of web security in general.

Results

* Paid above typical Medium severity rate due to report quality and impact
** $20 bounty + $20 bonus for initiative and enthusiasm

Bugbop's flexible pricing allowed Dee to reward quality and initiative. The $100 bounty for the XSS+injection issue exceeded typical Medium rates because the report quality and business impact justified it. For the final finding, Dee was about to close testing - but the tester's enthusiasm convinced her to extend the window. She paid $20 for the vulnerability plus a $20 discretionary bonus specifically "for showing initiative."

Once satisfied that key issues were found and resolved, Bugbop refunded the remaining wallet balance (from the initial $575 deposit). This meant she only paid for bounties actually awarded (and the 15% platform fee).

What Were the Other Options?

Before choosing Bugbop, Dee considered the alternatives available for security testing a small vibecoded app. Here's how they stacked up:

• Traditional Penetration Test - A professional pentest from a reputable firm typically costs $5,000-$20,000+ and takes weeks to schedule. For a small freelance project with a limited budget, this is disproportionately expensive - even if the results would be thorough.
• Enterprise Bug Bounty Platforms - Platforms like HackerOne and Bugcrowd are designed for large organisations with dedicated security teams and big budgets. Minimum program costs typically start in the thousands, and the onboarding process assumes enterprise-level security maturity. Overkill for a freelancer shipping a single app.
• Freelance Security Consultants - Hiring a security freelancer through platforms like UpWork can work, but vetting their skills is difficult without security knowledge yourself. Rates vary wildly, scope is hard to define upfront, and you're relying on a single person's expertise rather than multiple testers with different specialisations. In contrast, by using a platform, the bug hunters also receive the benefit of gaining reputation.
• Self-Managed Bug Bounty - Running your own program (e.g. a security.txt file and an email address) is free but requires security expertise to triage reports, negotiate with researchers, and assess severity. It's also largely invisible until it gets picked up and circulated.
• Doing Nothing - The most common choice for small projects. Ship it and hope for the best. But vibecoded apps are particularly vulnerable - AI-generated code often introduces subtle security flaws that automated scanners miss. One data breach can destroy client trust and a freelancer's reputation.

Why Bugbop Works for Vibecoders

• Hands-on setup support - no security background needed to get started
• Bugbot catches common issues automatically, even before human testers begin
• Reports are written to teach, not just flag - ideal for developers still learning security
• Affordable for solo developers and freelancers building client projects
• Flexible bounty pricing - pay for impact and attitude, not just severity labels