The Accra surprise effect
In September 2025, an Accra edtech opened a private HackerOne bug bounty program with 25 invited researchers. Over 6 months, 47 confirmed vulnerabilities surfaced, including 4 critical (RCE on the mobile API, IDOR on student grades, parent account takeover via password reset, JWT tokens leaking in logs). Total rewards paid: $11,200 (6.8M FCFA). The CTO told us: "We had budgeted $18,000 for our first pentest. We pushed it back 9 months and we're better at security than we would have been after the pentest alone."
That's the real promise of a bug bounty program for an African startup: convert a security budget into a continuous stream of findings, rather than an annual snapshot.
Bug bounty vs pentest is not the same thing
Many founders ask "bug bounty or pentest?". The answer is almost always both, at different moments.
A pentest is a bounded engagement: defined scope, fixed duration, single report, delivered by 1-2 people in 5-15 days. It gives you a baseline and a document to show an auditor.
A bug bounty is a continuous stream: 5 to 300+ researchers look whenever they want, you pay per finding. It catches daily regressions, new features, and bugs nobody would have found in 10 concentrated pentest days.
For a seed-stage startup with 200-2000 users, starting with a private bug bounty program is often smarter than rushing into an expensive pentest.
Platforms and their pricing
| Platform | Access fee | Model | Target |
|---|---|---|---|
| HackerOne | $0 private / ~20% commission | Most recognized, strict scope | Serious SaaS, Series A+ |
| Bugcrowd | $0 private / ~20% commission | Strong internal triage | High-volume enterprises |
| YesWeHack (FR) | $0 private / ~20% commission | EU + francophone Africa community | EU / francophone SaaS |
| Intigriti (BE) | $0 private / ~20% commission | Strong EU side | European SaaS |
| Self-hosted program | $0 | security.txt page + email | Pre-seed without platform budget |
The real cost is not platform access — it's free in private mode — but the rewards you pay researchers. Typical 2026 ladder:
- Low: $50-150 (30-90k FCFA)
- Medium: $250-500 (150-300k FCFA)
- High: $1,000-2,500 (600k-1.5M FCFA)
- Critical: $3,000-7,500 (1.8-4.6M FCFA)
For a seed SaaS, plan a monthly bounty budget of $1,500 to $3,500 (900k - 2.1M FCFA) the first year. You'll scale this budget once you go public.
Private first, public later
The classic mistake: opening a public program too early. You get 200 reports in 48h, of which 180 are duplicates or out of scope, your tech team drowns, you pay $4,000 to a script kiddie for an XSS on a forgotten marketing subdomain.
The healthy sequence: private invited program (10-30 researchers selected on their platform reputation signal), tight scope, 3 to 6 months of calibration, then gradual opening to more researchers, then finally public if relevant. Many excellent B2B SaaS never go public — no need.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Triage, the real hidden cost
Each report needs triage: reproduce, qualify, CVSS-classify, dialogue with researcher, validate reward. Plan 30 minutes to 3 hours per report for a well-run program. For an edtech with 50 valid reports/year, that's ~80 tech hours, or ~$3,200 at internal cost.
On HackerOne and Bugcrowd, you can pay their triage team (managed service) between $1,500 and $4,000/month. Worth considering past 30 reports/month.
Fatal mistake: not paying
A Kenyan fintech we supported accepted 8 findings and "forgot" to pay for 3 months. Result: the 3 best global researchers on their stack stopped looking, and one tweeted "X.io ghosts researchers." The program took 14 months to recover. Paying within 7 days after triage is non-negotiable.
FAQ
How many researchers to invite at launch?
10 to 25 top-100 platform researchers, selected on their track record with your stack (Next.js, Node, Postgres, AWS, mobile React Native, etc.).
Need a bounty program before SOC2/ISO?
Not mandatory. But having an active program for 6+ months considerably reassures the SOC2 auditor on the "vulnerability management" control.
What if I have no reward budget?
Launch a '/.well-known/security.txt' page with your security@ email. No reward means only some amateur reports, but better than nothing.
Can researchers leak my vulnerability?
On private HackerOne/Bugcrowd programs, implicit NDA and platform history make this very rare. It's the upside of paid platforms vs self-hosted.
Launch your program
Want a private bug bounty program ready in 2 weeks, scoped, with a reward ladder calibrated to your runway? We support you from platform choice to first payout. WhatsApp +221 77 596 93 33 or /en/free-quote.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
