Founderpath Bug Bounty Program

At Founderpath, security is core to our mission of helping SaaS founders grow without dilution. We take the protection of our platform and customer data seriously, and we welcome the security community's help in keeping it safe.

Our Commitment

• We value security researchers and will work with you in good faith.
• We will not pursue legal action if you follow the rules of this program.
• We will investigate, respond, and fix qualifying vulnerabilities promptly.
• We will publicly acknowledge contributions (with permission).

Scope

The following are in-scope:

• Founderpath.com and all subdomains
• The Founderpath web application and APIs

Out of Scope

• Denial-of-service (DoS) or brute-force attacks
• Social engineering against Founderpath employees or customers
• Third-party services or platforms not operated by Founderpath

Rewards

We offer bounties based on severity, following industry-standard CVSS scoring:

• Critical (RCE, auth bypass, sensitive data exposure): up to $2,000
• High (privilege escalation, major business logic flaws): up to $1,000
• Medium (information disclosure, limited impact flaws): up to $500
• Low (best practices, non-exploitable issues): recognition only

Final reward decisions are at Founderpath's discretion, based on impact and quality of the report.

Responsible Disclosure Rules

To qualify for a bounty, you must:

1. Report the issue to security@founderpath.com with clear steps to reproduce.
2. Avoid accessing, modifying, or destroying data during testing.
3. Give Founderpath a reasonable time to fix the issue before public disclosure.
4. Act in good faith to protect user data and system integrity.

How to Report