Bug Bounty doesn’t uncover theoretical threats “but things that matter – threats that can actually happen,” says Amiran Alavidze, Director of Security Engineering at Zello, a US-based voice-first communication company. “Any signal like that is super valuable.”
Launched in 2025, Zello’s Bug Bounty Program currently covers its core product: a voice-first, push-to-talk communication platform for frontline workers that turns “any device into the best radio on the planet” and turns frontline talk into operational insight with AI. Zello, which was founded in Austin, Texas in 2012, serves customers across aviation, retail, transportation and logistics, construction, hospitality, manufacturing and emergency response, among others. Zello is used by thousands of organisations worldwide and has been recognised by The Wall Street Journal, New York Times, CBS, CNBC, USA Today and TechCrunch.
YesWeHack’s triage team validates the exploitability of Bug Bounty findings before relaying them to Zello’s security team – a stark contrast to automated tools, notes Amiran. A vulnerability scanner might surface “a ‘critical’ issue in a component, but the way we use it, it’s not actually a critical issue for our product,” he explains.
“The Bug Bounty reports are really good quality in general,” continues Amiran, recalling two critical findings in particular. “I was glad that we found those pretty early on and fixed them quickly because it could have been a major headache down the road.”
Security by design
But Zello’s program offers security benefits beyond the discovery of existing vulnerabilities, Amiran suggests; it also delivers intelligence that can be used to reduce the risk of similar flaws recurring.
“As a product security leader, you want as much signal about your applications as you can get,” he explains, including vulnerability trends that “give you ideas of which areas you need to put more attention into, by introducing additional tools, processes or standards so you can systemically address those issues.”
According to Amiran, “there’s definitely been adjustments in how we handle vulnerabilities in general,” with plans for service-level agreements for bugs of all kinds – not just security flaws – now on the agenda.
Supporting EU expansion
YesWeHack stood out among competing Bug Bounty platforms on two fronts in particular. “One is a white-glove approach: we felt we’d get much better support in selecting the right researchers,” he explains. “And the vetting mechanism YesWeHack has in place was a big plus. It was a talking point when we sold the program internally to the executive team. We said: ‘you don’t just give them free rein: there’s parameters and ways to pick the researchers that ultimately make it trustworthy’.”
The second driver of Zello’s decision to partner with YesWeHack “was quite extensive plans to expand into the EU, where there’s a completely different regulatory profile.” He adds: “There are different questions, especially around privacy, that those customers care about. We thought working with an EU-based partner would give us additional signal we can talk about to customers.”
Understandably, Amiran’s first-ever Bug Bounty launch raised questions about resources and readiness. “Would we cope?” They did.
“The launch was pretty smooth,” he recalls, citing a hassle-free onboarding process and crediting their customer success manager (CSM) with setting clear expectations at the outset. “The YesWeHack team had a really good handle on launching the program in a way that didn’t completely overwhelm us. Starting with a private program, a careful approach to curating the hunters and gradually increasing that pool to balance incoming reports with our ability to address them – all that worked well for us.”
The attentive support continued beyond the launch phase, both through scheduled reviews and ad hoc when the need arose. “They’re really good in terms of being proactive and reaching out with suggestions,” such as recommending an increase in the hunter pool when “there’s been a levelling off in the number of reports”, says Amiran.
‘Not set and forget’
Not that all this ‘handholding’ means a hands-off approach is feasible. “I spent more time than I’d expected on the logistics of flowing reports into our Jira system to the right team, assigning the right internal labels for tracking etc,” Amiran concedes. “I’m not saying it’s overwhelming, but it requires your ongoing attention – it’s not a set-and-forget kind of thing.”
The new responsibilities also demanded some “level-setting” with engineering teams. “Suddenly we had more security tickets going to the engineering teams, so we gave them a heads up prior to launch to ensure that the high-severity tickets were paid attention to.”
Again, the workload was eased – and prioritisation enhanced – by support from YesWeHack. “I’m amazed at how good the triage team is at articulating the attack path, the impact and why it’s an issue.” The triage team’s expertise in setting suitable severity scores was particularly valuable, given that Zello found this “a bit tricky” to do internally.
Expanding the scope
Advice from the CSM based on the experiences of customers with similar profiles, combined with a flexible platform and a Jira integration that “works really well”, provides a solid foundation for productive experimentation and continuous optimisation.
The scope was briefly expanded beyond Zello’s core product to back-end systems, “but that created more activity than we could handle at the time, so we scoped back to the original scope,” says Amiran. “The team at YesWeHack guided us through it and had good suggestions of what to do, what not to do.
“We went a bit too quickly, but we ultimately do want to expand the scope as we gain confidence – maybe even later this year or early next year. Long term, our plan is to become internally mature enough to handle the load of making the program public.”
Bug Bounty, pentests and compliance
With regulations catching up to the need for continuous testing in the age of AI-assisted attackers, Zello’s Bug Bounty success has prompted reflections on the role of pentests. Although many customers still require that Zello conducts annual pentests, the Bug Bounty Program “probably delivers more value”.
Amiran describes Bug Bounty as a “free for all. It’s very flexible: whatever you find, report it and we’ll pay the bounty. Pentests maybe don’t go as deep, but they go pretty wide and there’s an expectation that certain things will be covered and obvious gaps reported. So we’re wondering if we can convince customers that maybe we don't need a pentest; maybe we could reframe the Bug Bounty Program to cover their requirements?”
He adds: “I’m sure we can work with the auditors to satisfy their control requirements with the Bug Bounty program.”
Has Zello developed any metrics for measuring ROI? “We haven’t landed on a set of metrics yet,” replies Amiran. “I think longer term it will become more important for us to come up with metrics to make sure we’re getting ongoing value.”
However, the value seems clear enough so far: “it’s an obvious success based on things we’ve found. Ultimately, this is probably the biggest bang for your buck in terms of human or manual testing that you can get.”
WANT TO LAUNCH A BUG BOUNTY PROGRAM?
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.



