Polygon Labs' two-team security structure: where most Web3 breaches actually start | Mudit Gupta

Description

Polygon Labs' bug bounty program saw a near 10x spike in submissions since August. The valid reports more than doubled. Most were on code that had been sitting untouched for three to five years. AI doesn't anchor to new releases the way human researchers do. It starts from scratch every time. We spoke with Mudit Gupta, CTO of Polygon Labs, about how that shift is forcing structural changes to how serious protocols handle security. Polygon runs two dedicated security teams. SecOps owns the attack surface most Web3 teams never build for: cloud infrastructure, employee devices, domain security, phishing simulation. Mudit's position is that most Web3 incidents originate here, not in the contracts. AppSec is embedded at the architecture stage, not brought in post-build. The difference is accountability: they own security outcomes across the full product lifecycle, not just the audit report. "If there is one person who takes care of security very seriously, they can uplift the whole team," Mudit told us. That's how they scale security mindset without a mandate. On ZK: Mudit is direct. There are more bugs in ZK infrastructure than in smart contracts. The only reason it hasn't been exploited at scale is that the number of people capable of doing it is countable on two hands. "I sometimes lose sleep over it," he told us. Listen to the full episode for the complete two-team structure and why Mudit believes ZK is the most underestimated attack surface in Web3 right now. Watch the full interview here: https://youtu.be/J2jKNvOrfbk