Bug bounty & responsible disclosure

What we pay

Severity is set by us after triage using real-world impact, not the scanner label. Every valid reporter earns leaderboard points and a Hall of Fame spot. Solve more, climb the board. Rewards are discretionary and based on quality, impact, and clarity of the report.

Report a vulnerability

In scope

• www.vcboom.com and the authenticated app (/app/*)
• The VC Boom API (/api/*) that powers scoring, matching, and outreach
• Authentication, authorization, and payment flows
• Anything that exposes another user's data or our investor dataset at scale

Out of scope

• Missing security headers with no demonstrated impact (we already harden these)
• Automated scanner output with no working proof of concept
• Denial of service, volumetric, or brute-force attacks
• Social engineering, phishing, or physical attacks
• Issues in third-party services we use (Clerk, Stripe, Resend, Vercel, Supabase). Report those to them
• Self-XSS, clickjacking on pages with no sensitive action, or theoretical issues with no real-world impact

Rules & safe harbor

• Only test against your own account and data. Never access, modify, or exfiltrate another person's data.
• No denial of service, automated high-volume scanning, or anything that degrades the service for real users.
• Report promptly and keep the issue confidential until we have shipped a fix.
• One issue per report. First valid reporter of a unique issue gets the reward; duplicates are credited but not paid twice.
• Acting in good faith and within these rules, we will not pursue or support legal action against you (safe harbor).

Hall of Fame

Be the first. Researchers who report a valid issue are credited here by their chosen handle, ranked by points.