VibeBounty

AI slop killed bug bounties. We fixed them.

Every bounty inbox is drowning in fabricated reports from people who let an LLM write their first vulnerability and called it a day. We built a six-layer gauntlet that throws those out before a developer ever sees them, so real researchers get paid for real work.

01 · The problem

What we're up against

“I found a critical SQL injection in your /favicon.ico endpoint.”

Buried in the noise are the real findings. Triage teams burn out chasing fabricated reports, and the genuine vulnerability sat three rows down gets closed unread.

Received · Last 24hBlocked
13:42:19Race condition in /api/health (CVSS 9.8)Endpoint is static
13:38:02Auth bypass via cookie tamperingNo cookies set
12:51:44RCE through SVG parserHallucinated payload
11:09:33Prototype pollution in vite.config.tsNot a runtime file
10:55:11Time-of-check race in static asset CDNCannot reproduce
09:14:08XXE in JSON parserNot XML
02 · The gauntlet

The gauntlet

01
Identity Screen
Testing…
02
Reputation Gate
— Awaiting
03
Structured Proof
— Awaiting
04
Behavioral Analysis
— Awaiting
05
Duplicate Detection
— Awaiting
06
Live Verification
— Awaiting
Example · Inbound report

SQL injection in /api/v1/login via username parameter

The login endpoint reflects the username parameter directly into a SQL query. Sending 5' OR 1=1-- returns HTTP 500 with SQLSTATE[42000], confirming the injection.

CVSS 9.1Auto-tagged: critical
Running gate 01 · Account eligibility screening
GATE 01 · IDENTITY SCREEN

Account eligibility screening

/signup · identity check
emailnoah@acmecorp.io✓ ELIGIBLE
stripeacct_1Nk2Xp · connected✓ VERIFIED
→ identity confirmed · ready to submit
03 · Why developers run programs here
01

You only see real work

Slop blocked before triage. Your time goes to actual findings.

02

Researchers paid same day

Stripe Connect, no invoice limbo. Builds trust both ways.

03

Auto-detected scope

Cloudflare-grade boundaries. No more 'is /admin in scope?'

04

Public response time

Researchers see how you operate before they submit.

04 · Pricing

Pick a plan and run a program.

Compare all features →

Basic

£14.99/mo

1 live product

  • 1 live product
  • HTTP probe auto-reproduction (25/day)
  • 25 manual re-runs per hour
  • Ownership verification
  • Researcher messaging
  • Stripe payout workflow
  • AI Fix included

Pro

Most popular
£39.99/mo

5 live products

  • 5 live products
  • Everything in Basic
  • HTTP + Headless browser reproduction
  • 100 units/day · 75 re-run units/hr
  • Shared product workspace
  • AI Fix included

Elite

£69.99/mo

Unlimited live products

  • Unlimited live products
  • Everything in Pro
  • HTTP + Headless + Agentic AI reproduction
  • 500 units/day · 250 re-run units/hr
  • AI Fix included
  • Portfolio-wide coverage
  • Best fit for multi-brand teams

List your product

Run your product's vulnerability reports through The Gauntlet.