How monday.com built one of tech's most efficient private bug bounty programs
By embedding HackerOne into its SDLC and automating remediation end-to-end, monday.com's small security team punches far above its weight.
Complex product. Small team. Constantly shifting attack surface.
monday.com is deeply configurable, a platform where even power users don't know every corner. For security researchers operating in pure black-box mode, it's genuinely hard to explore. For a small security team, covering it continuously was harder.
Closed-source code makes black-box research especially challenging
Point-in-time pentests couldn't keep pace with rapid feature shipping
Pivot to AI platform introduced entirely new vulnerability classes
Business logic flaws and chained attacks require adversarial, sustained testing
A private program built for depth, not volume.
HackerOne predates monday.com's IPO, most of its security tooling, and much of its current scale. That longevity reflects a deliberate philosophy: curate a focused group of skilled researchers who develop genuine fluency with the platform, rather than opening to volume and noise.
Amit Levy came to monday.com already thinking like an attacker. He spent years earlier in his career on the offensive side. That background shapes how he runs the program: not as a compliance checkbox, but as the sharpest adversarial lens available to a small team.
Over time, the team built an end-to-end remediation pipeline that makes the program scalable for a lean team. monday.com built a direct webhook integration between HackerOne and their own platform, so every validated report flows automatically into their R&D workflow without manual handoff.
- HackerOne triage handles first-pass validation and researcher comms
- Hai handles second-pass validation
- Internal agent runs root cause analysis and code-level identification
- Automated PR creation with suggested fix and developer SLA notification
- Security team role becomes review and approval, not manual processing
The key capabilities and products used:
H1 Bounty
Private bug bounty program since 2018
Private bug bounty program since 2018
H1 Challenge
Targeted feature-launch campaigns
Targeted feature-launch campaigns
Hai
Used for report validation and automation workflows
Used for report validation and automation workflows
H1 Triage
HackerOne's managed triage team handles first-pass validation
HackerOne's managed triage team handles first-pass validation
AI became the teammate who remembers every report
To scale validation without compromising expertise, Shopify built AI agents trained on the company’s unique tone, history, and scoring precedents. These agents perform the first pass on every report, extracting core issues and giving analysts an immediate understanding of Shopify-specific context.
HackerOne Hai strengthens this foundation with coordinated Agentic AI that turns complex findings into clear, actionable guidance. It adapts to program policies, surfaces similar reports, reinforces consistent scoring, and strengthens communication with the security researcher community. And because Hai operates without bias, it gives Shopify the objectivity to stay true to the definitions of their scoring.
In tandem, they create for Shopify’s team what functions as a teammate who remembers every report. Jill describes, “It’s amazing to see what it does for the confidence of an individual in the role as well as historical precedent… It decreases remediation and that kind of back and forth.”
AWS as the secure AI foundation
Shopify's solution operates within AWS as part of its broader secure-by-design infrastructure. Amazon Bedrock enables Shopify and HackerOne to run AI systems without using prompts or customer data for training. This gives Shopify’s security team confidence that AI can be safely embedded into sensitive workflows while maintaining strict data boundaries.
One of the things that has given me peace of mind for the team that I have is that AI has lifted the burden off of their shoulders and can make them go further.
You’re never really sacrificing confidence — AI can only enhance it. But you do need empathy and humility. Sometimes the model gets it wrong. We own that, learn from it, and teach the model so we keep improving.
Throughout the transformation, human judgment remained the source of truth. AI simply amplified it. The gains achieved with Hai demonstrate how thoughtfully integrated AI can unlock meaningful scale for the business and for the team. But Shopify didn’t stop at using AI to improve security processes– they also partnered with HackerOne through a Live Hacking Event to rigorously test their own AI-powered products, including Sidekick, the commerce assistant that helps merchants grow their business.
Together, Hai and the AI-focused Live Hacking Event helped Shopify set a new standard with a dual approach: treating AI as a tool for security and as an asset to be secured. This shapes Shopify’s broader strategy of pairing innovation with accountability and ensuring that every AI advancement is backed by real-world, community-driven security insight.
For security teams looking to adopt AI in security operations, Jill Moné-Corallo shares:
Start with what you’re comfortable with, especially the areas that are your weaknesses. Taking some of the grueling tasks off your plate builds trust in the system, and from there the world is your oyster.
