We use cookies
Our site relies on them (cookie policy)
Security

Security at FounderCatalyst

The security of our platform and the data our customers entrust to us is a top priority at FounderCatalyst. We welcome responsible disclosure from security researchers and the wider community.

Reporting a vulnerability

If you believe you've found a security vulnerability in FounderCatalyst, please email us at security@foundercatalyst.com.

To help us triage your report quickly, please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any relevant URLs, screenshots, or proof-of-concept code
  • Your assessment of severity (see below)

We aim to acknowledge reports within 5 business days and will keep you updated as we investigate and remediate.

Scope

In scope

  • The FounderCatalyst web site (www.foundercatalyst.com)
  • The FounderCatalyst infrastructure the web site runs on

Out of scope

  • Denial-of-service (DoS/DDoS) attacks
  • Social engineering or phishing of FounderCatalyst staff or customers
  • Physical security attacks
  • Third-party services, applications, or websites that integrate with FounderCatalyst
  • Rate limiting or brute-force enumeration unless it leads to a demonstrable security impact
  • Automated scanning output without a demonstrated vulnerability
  • Reports of missing security headers without a demonstrated exploit
  • Software version disclosure without a demonstrated vulnerability

Severity and rewards

We offer monetary rewards for valid, unique vulnerability reports at our discretion. FounderCatalyst is a small, independently funded company, so our bounty amounts reflect that reality — but we genuinely value the time researchers invest in helping us improve.

Severity
Examples
Reward
Critical
Remote code execution, authentication bypass, access to other customers' data, SQL injection leading to data exposure
Up to £1,000
High
Privilege escalation, stored XSS with significant impact, IDOR exposing sensitive records
Up to £1,000
Medium
Reflected XSS, CSRF on sensitive actions, information disclosure of internal system details
Up to £250
Low
Minor information leakage, non-sensitive CSRF, open redirect without chaining
Up to £50

Final severity classification is determined by FounderCatalyst, taking into account the nature of the vulnerability, the data and systems at risk, and the overall impact to our users.

Rewards are paid per unique vulnerability. Duplicate reports will be credited to the first reporter. We may choose to award above or below the listed amounts at our discretion based on the quality of the report and the impact of the finding.

Safe harbour

FounderCatalyst will not pursue civil or criminal legal action against security researchers who:

  • Act in good faith and in accordance with this policy
  • Avoid accessing, modifying, or deleting data belonging to other users — if you accidentally access another user's data, stop immediately and report what you found
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate (we ask for a minimum of 90 days from the date of your report)
  • Do not degrade the availability or performance of our services
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it exists
  • Comply with all applicable laws

We consider security research conducted in line with this policy to be authorised activity. We will not report good-faith researchers to law enforcement.

If at any point you are uncertain whether your actions are consistent with this policy, please reach out to us at security@foundercatalyst.com before proceeding.

Contact

Email: security@foundercatalyst.com

If you need to send sensitive details, please contact us via email and we can supply a number to contact us via WhatsApp or Signal.

This policy was last updated on April 2026.

Partnered with people that push you further

Angel Groups logo Ascension logo Angel Investors Bristol logo Colorintech logo Crowdcube logo Digital Catapult logo Female Founders Rise logo Fuel Ventures logo Jumpstart logo Republic Europe logo SETsquared Partnership logo SFC Capital logo Swoop Funding logo SyndicateRoom logo