FounderCatalyst Verified
Earn the badge that tells investors you're ready. Pitch deck and financial model reviewed by a serial angel.
Free stuff
Templates, guides and calculators for founders running their own round — no signup required.
Security at FounderCatalyst
The security of our platform and the data our customers entrust to us is a top priority at FounderCatalyst. We welcome responsible disclosure from security researchers and the wider community.
Reporting a vulnerability
If you believe you've found a security vulnerability in FounderCatalyst, please email us at security@foundercatalyst.com.
To help us triage your report quickly, please include:
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any relevant URLs, screenshots, or proof-of-concept code
- Your assessment of severity (see below)
We aim to acknowledge reports within 5 business days and will keep you updated as we investigate and remediate.
Scope
In scope
- The FounderCatalyst web site (www.foundercatalyst.com)
- The FounderCatalyst infrastructure the web site runs on
Out of scope
- Denial-of-service (DoS/DDoS) attacks
- Social engineering or phishing of FounderCatalyst staff or customers
- Physical security attacks
- Third-party services, applications, or websites that integrate with FounderCatalyst
- Rate limiting or brute-force enumeration unless it leads to a demonstrable security impact
- Automated scanning output without a demonstrated vulnerability
- Reports of missing security headers without a demonstrated exploit
- Software version disclosure without a demonstrated vulnerability
Severity and rewards
We offer monetary rewards for valid, unique vulnerability reports at our discretion. FounderCatalyst is a small, independently funded company, so our bounty amounts reflect that reality — but we genuinely value the time researchers invest in helping us improve.
Final severity classification is determined by FounderCatalyst, taking into account the nature of the vulnerability, the data and systems at risk, and the overall impact to our users.
Rewards are paid per unique vulnerability. Duplicate reports will be credited to the first reporter. We may choose to award above or below the listed amounts at our discretion based on the quality of the report and the impact of the finding.
Safe harbour
FounderCatalyst will not pursue civil or criminal legal action against security researchers who:
- Act in good faith and in accordance with this policy
- Avoid accessing, modifying, or deleting data belonging to other users — if you accidentally access another user's data, stop immediately and report what you found
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate (we ask for a minimum of 90 days from the date of your report)
- Do not degrade the availability or performance of our services
- Do not exploit a vulnerability beyond what is necessary to demonstrate it exists
- Comply with all applicable laws
We consider security research conducted in line with this policy to be authorised activity. We will not report good-faith researchers to law enforcement.
If at any point you are uncertain whether your actions are consistent with this policy, please reach out to us at security@foundercatalyst.com before proceeding.
Contact
Email: security@foundercatalyst.com
If you need to send sensitive details, please contact us via email and we can supply a number to contact us via WhatsApp or Signal.
This policy was last updated on April 2026.













