Bug Bounty Program Canceled

Why I'm Canceling My Bug Bounty Program

After a full year of maintaining an active bug bounty program for Monitorator, I've made the difficult decision to cancel it. As an indie developer managing this project solo, I believe my experience might resonate with others in the same situation.

The Context: A Side Project with Good Intentions

Monitorator is my personal project. I develop it in my free time, handling everything: the code, marketing, support, finances. Like many indie developers, security has always been a concern, but resources are limited.
Implementing a bug bounty program seemed like the perfect solution: get external help finding vulnerabilities without hiring a security team. In theory, brilliant. In practice, it became my worst nightmare.

The Tsunami from Day One

Within a week of publishing the security.txt file, my quiet side project became a battlefield. Apparently, there are automated systems constantly crawling the internet looking for these files, and when they find a new one, the siege begins.
Suddenly, I was spending more time managing false reports than developing new features. For someone doing this in their spare time, it was devastating.

The Numbers After One Year

During this entire time:

  • Reports received: Hundreds
  • Real vulnerabilities: One (1)
  • Spam accounts deleted: Over 50 in the worst month
  • Hours lost: Countless, responding to nonsense emails

The most frustrating part: even the single legitimate payment became a problem. After weeks of waiting, I received the invoice and paid immediately. Then my accountant informed me it wasn't valid. When I asked for a correct invoice, the researcher disappeared, leaving me with a tax mess.

The Pattern That Destroys Personal Projects

I've identified a toxic cycle that any indie developer will recognize:

  • Monday: You receive a vague report that could apply to any website
  • Tuesday: You politely respond explaining why it's not a vulnerability
  • Wednesday: You receive a more aggressive response with nonsensical arguments
  • Thursday: The exchange continues, stealing development time
  • Friday: Instead of launching that new feature, you're still in email ping-pong

Multiply this by several simultaneous "researchers" and you'll understand why my project nearly ground to a halt.

Real Cases That Defy All Logic

"Critical Account Deletion"

Someone created a test account (name contained "test"), and from the same email asked me to delete it. It was an account less than 6 hours old, with no content or subscription. As an admin, I deleted it like I would any spam. They then claimed €500 alleging a critical vulnerability because I had deleted "their" account when they themselves requested it.

"No Login Rate Limiting"

They bombarded the login form with thousands of automated requests. They claimed to have "user passwords" (impossible, I use magic links without passwords). The only real impact: it costs me money for each email sent, but it's not a security issue.

"Admin Access with Corporate Emails"

They reported that registering with @monitorator.com gives admin access (completely false). Any registration enters as a basic user without special permissions, and without email access you can't login due to the magic links.

"Malicious Redirect (Open Redirect)"

A user put external links in fields on their own profile (which only they see) and reported it as a vulnerability. This isn't an open redirect - it's content controlled by the user in their personal space.

"Persistent Session Tokens"

After several emails, they sent a video "demonstrating" that logout didn't work. Upon review, I saw they were intentionally doing the logout incorrectly. When I pointed out the error step by step, they admitted they "maybe" hadn't done it right.

"Race Condition in Projects"

Violating the program rules (no concurrent requests), they tried to create multiple projects simultaneously. It might be a minor business logic issue, but not security. They threatened me when I refused payment.

The Only Real Bug: "Information Disclosure"

Usernames visible in URLs when they shouldn't be. I waited almost a month for the invoice, when it arrived I paid immediately. Later my accountant informed me the invoice wasn't valid/real and needed a correct one for tax purposes. When I asked the researcher for a valid invoice, they disappeared. I was left with the tax problem and payment already made.

The AI Factor: When Bots Respond to Bots

My feeling is that artificial intelligence has exponentially worsened the situation. I receive emails clearly generated by AI, and when I respond, the replies also seem automatically generated. It's an absurd ping-pong where:

  • Initial reports are generic templates with minimal modifications
  • My technical responses receive vague counterarguments that completely ignore my points
  • Conversations lose coherence after 2-3 exchanges
  • In many cases, the responses don't even make sense in context

Additionally, there are bots (with or without AI) running the most basic security tests against any website. In my case, using established and well-maintained software, these "bugs" are already solved at the base level. All these automated attacks achieve is:

  • Multiple concurrent requests from various IPs
  • CPU spikes above 80%
  • Excessive RAM consumption
  • Aggressive crawling of every URL they find

They're basically denial of service attacks disguised as "security research."

An Unexpectedly Positive Conclusion

Ironically, this year of torture has given me something valuable: confirmation that my software is secure.
If out of almost 200 reports only one was real (a minor misconfiguration in profile URLs), I can conclude that:

  • My way of working produces fairly secure software
  • The architectural decisions I've made are solid
  • The level of "testing" they're doing is so low it gives me confidence

If these are the attacks they're attempting, and they only found a minor misconfiguration, I wonder what they're finding in other projects. The quality of these "security tests" is so poor that, paradoxically, they've confirmed I'm doing things right.

The Real Cost for an Indie Developer

When you handle everything yourself, every hour counts. The real impact has been:

  • Development paralyzed: Hours spent responding to false reports are hours not improving the product
  • Accelerated burnout: The constant feeling of being manipulated while trying to maintain professionalism
  • Motivation destroyed: Watching your passion project become a constant source of stress
  • Legal problems: Even when trying to do things right, you end up with tax issues

My New Approach

I've definitively canceled the public bounty program. My focus now is:

  • Open channel: I maintain [email protected] for genuine reports, but without predefined rewards
  • No obligations: If someone reports something real and communicates professionally, I might consider compensation, but with no commitment
  • Secure code: I continue focusing on writing secure code from the start, as I've always done
  • Continuous learning: I keep learning from other indie projects about best practices for security, performance, and data protection

I've become deeply disenchanted with bounty programs and all their consequences. I won't implement one again.

Advice for Other Indie Developers

If you're considering a bug bounty for your side project:

  • Think three times: The cost in time and mental health can kill your project
  • If you do it: Be ultra-specific about what you accept as a valid vulnerability
  • Prepare for spam: You'll have bots from day one
  • Recommended alternative: Exchange security reviews with other trusted developers
  • Protect your time: It's your most valuable resource as an indie

Final Reflection

Bug bounties were born to improve internet security. It's sad to see how they've become an attack vector against small projects.
To legitimate researchers: I know you exist and I value your work. I'm sorry that others have corrupted the system.
To those who see side projects as easy targets: you're killing indie innovation. Every developer who abandons their project because of you is one less idea in the world.

The Journey Continues

Monitorator will continue, stronger and with lessons learned. Sometimes, saying "no more" is the right decision to protect what you build with passion.
If you're an indie developer in a similar situation, you're not alone. Protect your time, your energy, and your project. They're too valuable to waste on those who don't respect your work.

Robert Menetray
Indie Developer and Creator of Monitorator
September 2025