Bug Bounty Programs are a boon for DevSecOps environments, according to the red team lead for offensive security at Gong, the revenue AI company.
Reflecting on his experience overseeing Gong’s crowdsourced security testing, Dean Dunbar explains how Bug Bounty accommodates rapid release schedules, recounts how scoping challenges were surmounted, and marvels at bounty hunters’ skills, tools and “passion for security”.
Gong empowers everyone on a modern revenue team to improve productivity, increase predictability, and drive revenue growth by deeply understanding customers and business trends and driving impactful decisions and actions. The Gong Revenue AI Platform captures and contextualises customer interactions, surfaces insights and predictions, and powers actions and workflows that are essential for business success. More than 4,500 companies around the world rely on Gong to unlock their revenue potential.
How has your private Bug Bounty Program evolved so far?
Dean Dunbar: We launched our Bug Bounty Program with a focused scope, initially targeting critical areas for our clients and product.
As we saw the value hunters brought to the table, we expanded the scope and adjusted bounties to attract even more top talent. It’s been an evolving process, and each round of feedback helps us refine the program to make it more impactful.
What is the biggest challenge you have faced and how have you overcome it?
DD: Scoping has been a moving target. Historically, scoping for bug bounties a decade ago was working with simpler CIDR ranges, but modern ecosystems might include cloud providers and SaaS providers.
As Gong’s infrastructure grew, our Bug Bounty scope had to adapt to keep pace. YesWeHack has been instrumental in making scope management easy, helping us maximise coverage while clearly defining out-of-scope areas.
Another challenge was managing test accounts for Bug Bounty researchers. YesWeHack has streamlined this with their credential pools, which allow researchers to access test credentials securely and efficiently.
This has been a game-changer, letting researchers dive deeper into testing our features without needing manual account setups. The credential portal is more secure than manual credential sharing.
What has most surprised you about Bug Bounty?
DD: I’m consistently impressed by the depth of expertise among the hunters. Over the last decade, I’ve seen submissions from specialists who notice vulnerabilities that automated tools or standard processes would miss.
It’s a powerful reminder of the unique value that fresh perspectives bring.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
What are your plans or hopes for how your crowdsourced security testing operation will evolve in the coming months or years?
DD: Looking forward, we plan to broaden the scope to cover more features as they roll out, attracting new talent to the program.
We’re also focused on making it easier for developers to incorporate findings into their workflows, streamlining how vulnerabilities are addressed.
Why did you choose YesWeHack over other platforms?
DD: YesWeHack has been the right partner for us because they make Bug Bounty management, triaging and communication straightforward, which is essential as we scale.
As a fast-growing company, finding tools that grow with us and offer real value can be challenging. YesWeHack provides a comprehensive, cost-effective solution that lets us focus on getting the most out of our program.
What are the most significant benefits of Bug Bounty?
DD: One of the biggest benefits is that it gives us constant security coverage. Unlike periodic tests, it’s ongoing, so we’re always aware of emerging threats.
We also benefit from the diverse perspectives of security researchers around the world, many of whom specialise in unique or niche vulnerabilities.
In what ways is Bug Bounty distinct from pentesting?
DD: Bug bounties are distinct from pentests in their scope and timing. A pentest is typically a time-boxed engagement that provides a snapshot of the application’s security at that moment.
A Bug Bounty, on the other hand, is ongoing and often involves many researchers with different skillsets. It lets us receive real-time feedback on our security as we release new features, rather than waiting for a scheduled test. This makes bug bounties especially valuable for fast-growing, frequently updated platforms like Gong.
What are the key factors for a successful Bug Bounty Program?
DD: Clear scopes and prompt response times are crucial. Hunters need to know exactly what’s in scope and what’s out, and they should receive quick, meaningful responses to their submissions.
Fair bounties and transparent communication build trust with hunters and motivate them to participate actively. It’s also important to have strong internal processes to handle triage and get findings to developers quickly so the vulnerabilities can be addressed efficiently.
Any advice for peers who are considering launching a Bug Bounty Program?
DD: I’d recommend starting with a private scope to understand the process without getting overwhelmed. Make sure you have resources dedicated to triaging and responding to submissions in a timely way, as this is key to maintaining hunter engagement.
Also, don’t rush to make it public right away – take time to refine your scope and process so it’s sustainable long-term. Finally, communicate clearly and openly with hunters to create a positive, collaborative experience for everyone involved.
Anything else to add?
DD: One of the best parts of managing a Bug Bounty program has been getting to know many of the top researchers across different platforms.
These top performers operate at an incredibly high level. They’ve often developed their own custom asset management tools, which let them respond almost instantly when new vulnerabilities are announced.
It’s a reminder of just how dedicated and skilled this global community is – full of resourceful, creative people with a real passion for security. Working with them has been both inspiring and a great learning experience, and it’s reinforced the value that a strong Bug Bounty Program can bring to a company.
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
YOU MIGHT ALSO LIKE ‘More efficient than a pentest and it generates trust’: TeamViewer’s Bug Bounty story so far