Crowd for Angels Bug Bounty Program

At Crowd for Angels, we are committed to providing a secure crowdfunding platform. Therefore from time to time we improve our services and carry out security updates to our platform to ensure your details are safe.

We are interested in receiving any information about vulnerabilities or bugs. In return, you may be awarded a cash payment.

Attack types and issues have been separated into reward groups as follows. Issues that are not (yet) partitioned in a reward group will be assessed and by us and rewarded accordingly.

  • Non-persistent XSS
  • Mixed content
  • Tab-nabbing
  • Provisioning errors
  • Information leaks (excluding user data)
  • Low severity issues
  • Persistent XSS
  • CSRF on sensitive forms
  • Customer data disclosure
  • Authentication bypass
  • SQL Injection
  • Arbitrary code execution
  • Remote file inclusion
  • Privilege escalation
  • Access to user accounts
  • Program rules

Only the first person to report a vulnerability will be awarded. Reports have to follow our disclosure guidelines.

  • Full details have to be shared about the problems found.
  • Disruption of services, compromising/sharing of any user data or breaking the law is strictly forbidden.
  • Attacks that can result in harm to the reliability of our service are forbidden. Attacks that can result in data integrity issues are also forbidden. (D)DoS, spam attacks et cetera are forbidden.
  • Don't use automated tools to search for vulnerabilities. Your Crowd for Angels account can get suspended as a result.
  • Attacks involving social engineering, phishing, et cetera of Crowd for Angels employees and users are strictly forbidden.
  • Do not perform any attacks that are in violation of the law.
  • A report shall have detailed steps to reproduce the issue, including links you visited, screenshots or screencasts where needed.
  • A report shall include versions of software and all factors that played a role in the attack (browser, OS, et cetera.)
  • Finders shall adhere to the rules.
  • Finders shall respect privacy and make effort not to access user data.
  • Don't publish issues or bugs without our consent. Wait at least 10 business days before publishing details about the report.
  • Don't do harm to our service or our users.
  • If we find the above rules are not adhered to your report will not be eligible for a bounty.
  • Our security team will address your reports and questions as quickly as possible.
  • We will not take any legal action if you abide by our rules
  • Timely pay-out of your bounty to an address of your choice.
  • Issues that pertain to anything forbidden in the program rules.
  • Reports generated by automated tools.
  • Software issues that are made public.
  • Reports that do not include testing or context specific to Crowd for Angels.
  • Issues that require you to already have access to a victim's account, physical device and/or registered email account.
  • Denial of Service attacks.
  • Brute Force attacks.
  • Spam techniques (DKIM / SPF et cetera).
  • Social Engineering issues.
  • Content injection/spoofing.
  • Path disclosure.
  • Version information disclosure.
  • Issues that we are already aware of.
  • Disclosure of trivial, non-sensitive public information.
  • Vulnerabilities in our official plugins that are specific to the shopping cart system, rather than our plugin.
  • Issues regarding spoofed e-mails.
  • HTTP Security Headers related issues without a proof of concept leveraging the issue.
  • Issues regarding SSL/TLS cipher suites without a proof of concept leveraging the issue.
  • Issues that can't be reproduced in the latest major browser versions (Edge, Firefox, Chrome, Safari).
  • Issues leveraging the presence of browser extensions.

To contact our security department simply e-mail security [at] or call 0207 437 2413

We reserve the right to adjust the program rules and conditions at any time without prior notification, to deny bounties on our discretion.

Risk Warning

Investing in small public listed or private companies involves risks, including illiquidity, lack of dividends, loss of investment and dilution, and it should be done only as part of a diversified portfolio. Investing in debt pitches through Crowd for Angels (UK) Limited involves lending to companies and therefore your capital is at risk and interest payments are not guaranteed if the borrower defaults. Crowd for Angels is targeted exclusively at investors who are sufficiently sophisticated to understand these risks and make their own Investment Decisions. You will only be able to invest via Crowd for Angels once you are authorised. Please click here to read the full Risk Warning.

This page has been approved as a Financial Promotion by Crowd for Angels (UK) Limited (Company number: 03064807) , which is authorised and regulated by the Financial Conduct Authority (Reference number: 176508). Investments can only be made on the basis of information provided in the Pitches by the Investee Companies concerned. Crowd for Angels takes no responsibility for this Information or for any recommendations or opinions made by the Investee Companies.

Pitches may contain forward looking statements and financial forecasts or projections. Forecasts are not a reliable indicator of future performance. Crowd For Angels makes no judgement or opinion of the likelihood of targets being achieved. Investments made in companies listed on the Crowd For Angels platform are not covered by the Financial Services Compensation Scheme (FSCS).

The availability of any tax relief, including EIS and SEIS, depends on the individual circumstances of each investor and of the company concerned, and may be subject to change in the future. If you are in any doubt about the availability of any tax reliefs, or the tax treatment of your investment, you should obtain independent tax advice before proceeding with your investment.