100% free — no contracts, no sales calls
Free bug bounty platform for indie SaaS
Find security holes before hackers do. List your SaaS for free, set bounties that fit your budget, and let ethical hackers secure your app. No enterprise pricing. You only pay for valid bugs.
No credit card required. No platform fees ever.
List in 5 minutes
Add your SaaS, set bounty rates ($50-$500), define your scope
Researchers hunt bugs
Security researchers test your app and submit detailed reports
Pay only for real bugs
Review, validate, fix — you only pay for reports you accept
How patchlist works
From signup to security reports in minutes
No approval queues. No sales calls. No 6-week onboarding. Create an account, list your product, define your scope, and let researchers start testing. That's it.
Post your bounty
List your product, define the scope, set bounty rates by severity level.
Receive reports
Researchers find vulnerabilities and submit detailed reports with proof of concept.
Validate & fix
Review the report, reproduce the bug, and patch the vulnerability.
Pay the researcher
Accept the report and pay the bounty directly. No middleman fees.
Why patchlist
Enterprise security without the enterprise BS
Traditional platforms want compliance checklists, annual contracts, and sales calls before you can even list a product. You just need someone to tell you if there's a hole in your auth flow. We built patchli.st for indie hackers, bootstrapped founders, and small teams who care about security but won't pay $50k/year for the privilege.
100% free
No subscriptions, no platform fees, no commissions. We make $0 from your bounties.
No contracts or sales calls
No legal team required. No 6-month procurement process. Sign up and list in 5 minutes.
Researchers get 100%
Pay researchers directly. Every dollar you offer goes to the researcher who finds the bug.
No middleman
Talk directly with researchers. No account managers filtering your reports.
Budget-friendly bounties
Start at $50 for low severity. Increase as you grow. No minimum spend requirements.
You decide what's valid
Review every report. Accept, reject, or mark as duplicate. You only pay for bugs you confirm.
Bottom line: Enterprise platforms charge $50k/year. We charge $0. You just pay researchers directly for valid bugs.
Who is this for
Built for founders and researchers who skip the bureaucracy
No enterprise sales teams. No approval queues. No minimum commitments. Just founders who need security testing and researchers who want to get paid for finding bugs.
Founders
Sleep better knowing your app is tested
- +List your SaaS in 5 minutes
- +Set bounties from $50 to $500+ per bug
- +Get detailed reports with proof of concept
- +Only pay for bugs you accept
Researchers
Get paid to break things (legally)
- +Browse real products with real bounties
- +Clear scope — know exactly what to test
- +Talk directly with founders, no gatekeepers
- +100% of bounties go to you — we take $0
Free Security Scanner
Is your SaaS leaking secrets?
Find out in 30 seconds. Our free scanner checks for missing security headers, exposed config files, and common misconfigurations that hackers look for first.
- Security headers analysis
- Exposed files detection
- Supabase/Firebase RLS checks
- Shareable results page
Free with signup. Results in 30 seconds.
// security_headers
// exposed_files
// rls_tests
Frequently asked questions
Common questions about bug bounties
New to bug bounty programs? Here are answers to the most common questions from founders and startups who are considering launching their first vulnerability disclosure program.
Your next vulnerability is waiting to be found
The question is: will a security researcher find it and tell you responsibly? Or will someone else find it first? List your product for free, set bounties that fit your budget, and only pay for real bugs.
Start securing my SaaS100% free. No credit card. Setup takes 5 minutes.