Bugs
AngryPages accepts responsible vulnerability reports from authorized security researchers and testing partners. Please focus on vulnerabilities in our first-party applications and platform behavior, including architecture, business logic, runtime behavior, and server-side rendering/execution.
Report securely

What We Want Most (Priority Scope)

  • Exploitable secure-coding failures in first-party code paths.
  • Token theft or unauthorized transaction scenarios, including wallet logic abuse, payment/token flow bypasses, and unauthorized credit/debit actions.
  • Credential compromise issues, including authentication or session weaknesses, account takeover paths, and exposure of secrets or sensitive credentials.
  • Privilege escalation or authorization bypasses that expose privileged functions, data, or administrative materials.
  • Runtime or server-side execution weaknesses caused by custom application logic.

Out of Scope (Not Accepted)

  • Issues limited to third-party software, libraries, or dependencies, by themselves.
  • Weaknesses in infrastructure components or common tools we use (for example, NGINX, Apache, or similar software) unless there is a clear exploit chain through our custom platform logic.
  • Dependency CVEs without demonstrated exploitability in AngryPages first-party code paths.
  • Generic hardening findings, version disclosures, or best-practice notices without real, reproducible security impact.
  • Rate-limiting issues without material impact, self-XSS without a credible impact scenario, and destructive denial-of-service or load testing.
  • Operational hardening or reliability changes, by themselves, unless they are tied to a reproducible security vulnerability.

Authorization and Testing Model

  • White-box testing credentials or access keys may be provided to pre-approved security testing parties.
  • Black-box testing is discouraged and is allowed only where the researcher or organization has been expressly authorized in writing under our bug bounty program terms.
  • If you are not authorized, do not scan, probe, or test AngryPages systems.

Strict Safety Rules

  • Use test accounts and synthetic data wherever possible.
  • Do not access, exfiltrate, download, alter, or retain real user data beyond the minimum necessary to demonstrate the issue.
  • Do not attempt to intercept, decrypt, or extract the contents of end-to-end encrypted communications.
  • No social engineering, phishing, physical intrusion, persistence, backdoors, malware, or service disruption.
  • Stop testing immediately and report the issue if you encounter sensitive data or any risk of service instability.

What a Strong Report Looks Like

  • Clear, reproducible steps, including the exact target path or endpoint, required preconditions, and affected permissions or roles.
  • A concise impact statement in business terms, such as token theft, credential compromise, privilege escalation, or unauthorized transactions.
  • A minimal proof of concept that stays within authorized boundaries.
  • Supporting evidence such as requests/responses, logs, screenshots, or code references, redacted as needed.
  • Suggested remediation tied to secure coding or design controls, where possible.

Response and Reward Guidance

  • We aim to acknowledge receipt of reports within 72 hours.
  • Indicative reward ranges (USD):
  • Critical: $2,000 to $5,000
  • High: $800 to $1,500
  • Medium: $250 to $600
  • Low: $100 to $200
  • Final reward decisions depend on exploitability, impact, report quality, reproducibility, duplicate status, and adherence to program rules.