Bugbop with spider-like logo
← Back to Case Studies

Case Study: Gymdesk - Critical Bugs Missed by Pentests

Client: Gymdesk

Industry: Fitness SaaS

Platform: Web, Android, iOS

Site: gymdesk.com

Program Type: Cash Bug Bounty

Spend: $1,231.50 USD

Gymdesk Logo

Overview

Gymdesk, a leading gym management platform, worked with Bugbop to launch a bug bounty program that would supplement their existing security efforts. Having already completed two professional penetration tests in the past year, they were looking for broader and continuous coverage.

The Challenge

Gymdesk wanted to:

  • Check if any edge-case vulnerabilities had not surfaced during previous penetration tests
  • Run a continuous program to catch bugs from new development
  • Maintain a tight scope and budget
  • Get good, actionable reports without noise

Bugbop Solution

Bugbop guided Gymdesk through onboarding, helping:

  • Define and scope out a public program
  • Draft a disclosure policy, including Safe Harbor and testing guidelines
  • Set modest payout ranges from $20 to $500 based on severity
  • Use webhooks for automation of security team workflows

This setup gave researchers clear boundaries and enabled Gymdesk's team to move quickly on valid findings.

30-Day Results

Severity Count Description
Critical 1 Misconfigured access control of admin endpoint
High 1 Exposure of sensitive system files
Medium 6 A mix of input validation issues (XSS), CSRF risks, and client-side flaws
Low 1 Minor information disclosure

All valid issues were triaged within days, and Gymdesk began rolling out fixes immediately. Several issues had persisted undetected through the prior pentesting efforts.

"We thought it would mostly surface edge cases, but researchers found real, impactful bugs we hadn't seen before"
Niall Richardson, CTO, Gymdesk

Value Delivered

  • Expanded vulnerability coverage beyond what the two pentests had revealed
  • Faster response cycles and engaged bug hunters thanks to Bugbop's tooling
  • Total bounty spend: $1,075 USD across nine valid reports
  • Ongoing visibility into researcher activity without operational overhead

Why Gymdesk Chose Bugbop

  • Startup-friendly onboarding with hands-on support
  • Flexible budgeting and payout configuration
  • High signal-to-noise ratio from vetted bug hunters
  • A platform designed for practical, real-world security feedback
"Bugbop helped us get set up for our first bounty program and get started without getting overwhelmed. The findings were remarkable! It's now a valuable part of our ongoing security process."
Niall Richardson, CTO, Gymdesk

Want to see their live program?

Check out Gymdesk's actual bug bounty program running on Bugbop right now!

View Gymdesk's Live Program

Ready to enhance your security with Bugbop?

Join organizations like Gymdesk that have discovered critical vulnerabilities and improved their security posture with our bug bounty platform.

Start Your Bug Bounty Program Book a Call