Bugbop with spider-like logo
← Back to Case Studies

Case Study: Gymdesk Finds Critical Flaws Missed by Pentests

Client: Gymdesk

Industry: Fitness SaaS

Platform: Web, Android, iOS

Program Type: Cash Bug Bounty

Spend: $1,231.50 USD

Overview

Gymdesk, a leading gym management platform, partnered with Bugbop to launch a bug bounty program that would supplement their existing security efforts. Having already completed two professional penetration tests in the past year, they were looking for broader coverage and continuous insights from the security research community — without overwhelming internal resources.

The Challenge

Gymdesk wanted to:

  • Catch edge-case vulnerabilities not surfaced during scheduled assessments
  • Leverage the creativity of independent researchers
  • Maintain a tight scope and budget
  • Get triaged, actionable reports — not noise

Bugbop Solution

Bugbop guided Gymdesk through onboarding, helping:

  • Define and publish a clear, well-scoped public program
  • Draft a disclosure policy, including Safe Harbor and testing guidelines
  • Set modest payout ranges from $20 to $500 based on severity
  • Use webhooks for automation of security team workflows

This proactive setup gave researchers clear boundaries and empowered Gymdesk's team to move quickly on valid findings.

30-Day Results

Severity Count Description
Critical 1 Misconfigured access control of admin endpoint
High 1 Exposure of sensitive system files
Medium 6 A mix of input validation issues (XSS), CSRF risks, and client-side flaws
Low 1 Minor information disclosure

All valid issues were triaged within days, and Gymdesk began rolling out fixes immediately. Several issues had persisted undetected through prior pentesting efforts.

"We thought it would mostly surface edge cases, but researchers found real, impactful bugs we hadn't seen before"
Niall Richardson , CTO, Gymdesk

Value Delivered

  • 📈 Expanded vulnerability coverage beyond what two pentests had revealed
  • ⏱️ Faster response cycles thanks to Bugbop's tooling
  • 💰 Total bounty spend: $1,075 USD across nine valid reports
  • 🔄 Ongoing visibility into researcher activity — without operational overhead

Why Gymdesk Chose Bugbop

  • Startup-friendly onboarding with hands-on support
  • Flexible budgeting and payout configuration
  • High signal-to-noise ratio from vetted researcher base
  • A platform designed for practical, real-world security feedback
"Bugbop helped us get set up for our first bounty program and get started — without getting overwhelmed. The findings were remarkable! It's now a valuable part of our ongoing security process."
Niall Richardson , CTO, Gymdesk

Ready to enhance your security with Bugbop?

Join organizations like Gymdesk that have discovered critical vulnerabilities and improved their security posture with our bug bounty platform.

Start your bug bounty program Book a Chat