Customer Story

How monday.com built one of tech's most efficient private bug bounty programs

By embedding HackerOne into its SDLC and automating remediation end-to-end, monday.com's small security team punches far above its weight.

Industry
Technology
Use Cases
AI, Crowdsourced Security, Exposure Management
Solutions
Bug Bounty, Hai
Regions
North America
Smooth gradient background transitioning from deep navy blue on the left to bright cyan and magenta on the right
Challenge

Complex product. Small team. Constantly shifting attack surface.

monday.com is deeply configurable, a platform where even power users don't know every corner. For security researchers operating in pure black-box mode, it's genuinely hard to explore. For a small security team, covering it continuously was harder.

Closed-source code makes black-box research especially challenging

Point-in-time pen tests couldn't keep pace with rapid feature shipping

Pivot to AI platform introduced entirely new vulnerability classes

Business logic flaws and chained attacks require adversarial, sustained testing

Running Hai on our Bug Bounty Program
Solution

A private program running since 2018. Built for depth, not volume.

HackerOne predates monday.com's IPO, most of its security tooling, and much of its current scale. That longevity reflects a deliberate philosophy: curate a focused group of skilled researchers who develop genuine fluency with the platform, rather than opening to volume and noise.

Amit Levy came to monday.com already thinking like an attacker. He spent years earlier in his career on the offensive side. That background shapes how he runs the program: not as a compliance checkbox, but as the sharpest adversarial lens available to a small team.

See Agentic Hai

End-to-end automation

Over time, the team built an end-to-end remediation pipeline that makes the program scalable for a lean team. monday.com built a direct webhook integration between HackerOne and their own platform, so every validated report flows automatically into their R&D workflow without manual handoff.

  1. HackerOne triage handles first-pass validation and researcher comms.
  2. Hai handles second-pass validation.
  3. Internal agent runs root cause analysis and code-level identification.
  4. Automated PR creation with suggested fix and developer SLA notification.
  5. Security team role becomes review and approval, not manual processing.

 

See the full playbook
Impact

Efficieny gains that changed how engineering thinks about security.

The result was operational efficiency that aided cross-functional alignment and advocacy for Amit's security initiatives.

This cultural shift matters as much as the numbers. When monday.com's  R&D requested a HackerOne campaign for a new product launch, without being asked, that's how Amit knew the program had earned organizational trust.

70-80%
Reduction in effort to validate and process a bug report
90%
Alignment between HackerOne Triage verdicts and internal team
+57% YoY
212 researchers submitted reports in 2025, up from 135 in 2024
127% above goal
Exceeded target valid reports per month by 127% on average in 2025

On top of the program growth, Amit uses the monday.com platform to monitor the following metrics in live dashboards:

  • Hacker satisfaction = repeat submissions as a proxy for engagement; SLA on validation and payment.
  • Signal-to-noise ratio = ratio of valid reports to total submissions; focus on high/critical severity findings.
  • Time-to-first-finding after feature launch = he actively measures the gap between shipping a feature and receiving the first submission; wants to minimize it; also tracks total researcher effort spent per feature as a security assurance metric.

What’s Next?

As monday.com deepens its AI platform strategy, Amit points out that HackerOne has become even more critical (not less). monday.com is using skilled researchers to learn what prompt injection and jailbreaking look like in practice, at the hands of people who have already figured out how to do it. 

"The best way to learn about new AI vulnerabilities is to give HackerOne researchers the opportunity to break us and to teach us." — Amit Levy, Head of AppSec at monday.com