Lessons from Running a Product Security-Focused Bug Bounty Program
Aditya Saligrama, Joey Holtzman
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Stanford's Applied Cyber group runs a product security clinic that has engaged with dozens of student startups over the past year and a half — and found critical vulnerabilities in essentially every single one. Misconfigured Firebase and Supabase deployments, broken authorization logic, exposed AWS API keys, and exploitable admin panels appear consistently across fintech, edtech, biotech, and B2B AI companies alike. Aditya Saligrama and Joey Holtzman detail the engagement model, the war stories, and what other university programs and early-stage security practitioners can take from it. ---
AI review
Stanford students running a genuine product security clinic and finding critical bugs in every single engagement — the war stories are entertaining and the SSRF infinite redirect loop via TinyURL self-referential construction is genuinely clever. The talk is more 'look what we found' than 'here is a framework that changes how you think about early-stage startup security,' but the data is real and the student-clinic model deserves more attention in the community.