How a 19-Year-Old Built India's Bug Bounty Revolution
Introduction
At just 19, Kathan Desai dropped out of college to build what is now India's largest bug bounty and vulnerability management platform — BugBase. His story embodies youthful conviction, technical brilliance, and an audacious belief that Indian ethical hackers could lead the world in cybersecurity.
In this episode of the Cyber Unbound Podcast, Kathan reveals how he started BugBase from his dorm room during COVID, how his platform is reshaping India's cybersecurity testing landscape, and how AI-powered VAPT (Vulnerability Assessment and Penetration Testing) is the next frontier for enterprises.
"We wanted to solve a problem we ourselves faced as bug bounty hunters — there was no platform in India where researchers could responsibly report vulnerabilities." — Kathan Desai
The beginning: when four friends turned a lockdown idea into a startup
The story of BugBase began in April 2021, at the height of the pandemic. Kathan and his high-school friend Dua were passionate hackers, spending late nights experimenting with vulnerabilities and competing in CTFs. During lockdown, they built a Discord server, roped in two more co-founders — Aditya (CTO) and Sitaraman (CIO) — and started prototyping what would later become BugBase.
What began as a simple vulnerability submission form quickly evolved into a full-fledged SaaS platform where companies could run structured bug bounty programs and manage security reports in real time.
Dropping out to build a product the world needed
Kathan and his team launched their MVP within two months, receiving demo requests from companies worldwide. The response validated their hypothesis — organizations were ready for a homegrown platform that simplified responsible vulnerability disclosure.
That traction led to one of the hardest decisions of their lives — dropping out of college to build full time.
"It wasn't about taking a reckless risk. It was about betting on a problem we truly understood," Kathan explained.
"Building any business is hard — not just cybersecurity. But the only way to learn is to build."
Understanding India's cybersecurity opportunity
Kathan believes India's cybersecurity market is not immature — just evolving differently. He points out that India has some of the world's most skilled ethical hackers, with 25–30% of global bug bounty reports originating from Indian researchers. Yet, until recently, there was no domestic platform giving them structured opportunities.
He explains that as India's tech ecosystem grows, so will its security budgets, compliance requirements (like the DPDP Act), and demand for continuous testing.
"India has the talent. What it lacked was infrastructure to channel that talent effectively — that's what we're building at BugBase."
Bridging the gap between VAPT and bug bounty
One of the biggest misconceptions Kathan faces is the confusion between VAPT and bug bounty programs. He clarifies that while VAPT (Vulnerability Assessment and Penetration Testing) is a one-time engagement, bug bounties are continuous, 24/7 efforts that allow companies to find zero-day vulnerabilities faster.
"If you aren't ready to engage continuously with researchers, don't start a bug bounty program yet. Do your VAPT first, fix your defenses, and then scale to continuous testing."
That pragmatic approach has helped BugBase onboard clients ranging from banks and fintechs to SaaS startups that see bug bounties as proactive security, not just a checkbox.
Getting the first 10 customers — cold outreach and persistence
Kathan's first customers didn't come through investors or PR — they came from cold messages on LinkedIn. As a 19-year-old founder, he sent over 50 messages to CISOs and security heads, eventually closing his first client who had just faced a critical security incident.
"Our first deal came from a reactive situation — a client needed help fast. That gave us confidence and credibility."
Since then, BugBase has grown through a mix of CISO networking events, cold outreach, and strong SEO — with the platform now appearing in top search results for "bug bounty platform in India."
BugBase for startups: democratizing security
BugBase's Startup Program allows early-stage companies to host free Vulnerability Disclosure Programs (VDPs). This enables startups to accept vulnerabilities responsibly without expensive enterprise contracts.
These programs help smaller teams establish a security maturity baseline and even achieve ISO 29147 compliance, making it easier to scale securely or work with global clients.
"Even if you're a small startup, having a VDP says a lot about your security culture. It shows maturity."
Building for ethical hackers — not just enterprises
Kathan's philosophy is clear: a bug bounty platform is only as strong as its community. BugBase's thriving researcher base is a testament to India's security talent, and the platform ensures fair payouts, transparent triage, and regular recognition.
He shares that major clients like Groww have launched bug bounty campaigns with payouts as high as $4,500 per vulnerability, proving that Indian companies are beginning to value security on a global scale.
Introducing AI Pentest Copilot — BugBase's next big leap
Beyond bug bounties, BugBase is now disrupting the VAPT space through AI Pentest Copilot, an agentic AI system that autonomously performs red teaming, phishing, and contextual analysis.
"We call it agentic AI for offensive security," Kathan explained. "The AI gathers contextual data — company structure, tech stack, and employee behavior — and simulates attacks continuously, 24/7."
This innovation marks BugBase's shift from being a platform for vulnerabilities to becoming an intelligent partner for proactive security.
Why competition fuels innovation
Kathan welcomes competition in AI-driven VAPT, saying it grows the overall market. He emphasizes that BugBase's strength lies in its deep understanding of Indian enterprise challenges, local compliance laws, and the ability to provide in-country data residency — something international platforms can't match.
"If competitors exist, it means the market is growing. Swiggy needed Zomato. BugBase needs challengers too — it keeps us sharp."
Talent, certifications, and hiring through Cyber Unbound
Kathan doesn't believe certifications like OSCP or CPTS define talent. While they can sharpen skills, he emphasizes hands-on experience and real-world problem-solving over credentials.
"Certifications should enhance your skill, not replace it. We look for hackers who can think creatively and prove themselves through work."
He praises Cyber Unbound's vetting process, highlighting how it helps fast-growing startups like BugBase find vetted, ready-to-interview engineers instantly.
"For us, Cyber Unbound is a blessing. When we need people fast, we know the candidates are already vetted by skills, not just paper degrees."
Final thoughts
At just 22, Kathan Desai represents a new wave of cybersecurity founders from India — practical, bold, and visionary. BugBase is not just helping companies secure their systems; it's redefining how talent, AI, and entrepreneurship intersect in cybersecurity.
As he puts it best:
"Startups will fail. Products will evolve. But if you keep learning, building, and staying curious — you'll always land ahead."
Guest — Mr. Kathan Desai, Founder at BugBase