Bugs | AngryPages

Responsible Disclosure

AngryPages accepts reports from authorized security researchers and testing partners focused on first-party application and platform security.

Focus on real exploitable impact in our custom app: architecture, business logic, runtime behavior, authorization, token/payment flows, and server-side rendering or execution.

Priority Scope

High-value reports include auth/session weaknesses, token theft, unauthorized transactions, credential exposure, privilege escalation, and server-side execution paths.

Show the exact target path, affected role/permission, exploit chain, reproducible steps, and business impact. Token theft and account takeover are higher priority than generic hardening notes.

Out Of Scope

Third-party-only issues, generic CVEs, version banners, self-XSS without impact, weak rate limits, and destructive DoS/load testing are usually out of scope.

Infrastructure findings only matter when you demonstrate exploitability through AngryPages first-party logic. Do not disrupt service to prove a point.

Authorization Model

White-box credentials or access keys may be provided to pre-approved testers. Black-box testing requires express written authorization.

If you are not authorized, do not scan, probe, fuzz, exploit, scrape, or test AngryPages systems. Ask for authorization before touching live targets.

Strict Safety Rules

Use test accounts and synthetic data. Do not access, exfiltrate, alter, retain, or expose real user data beyond the minimum proof needed.

No social engineering, phishing, physical intrusion, persistence, malware, backdoors, service disruption, or attempts to decrypt private communications.

Strong Reports

Send clear reproduction steps, preconditions, affected permissions, impact statement, minimal proof of concept, evidence, and suggested remediation.

Evidence can include redacted requests/responses, logs, screenshots, or code references. Keep proof minimal and stay inside authorized boundaries.

Response & Rewards

We aim to acknowledge reports within 72 hours. Reward decisions depend on exploitability, impact, report quality, duplicates, and rule compliance.

Indicative rewards: Critical $2,000-$5,000, High $800-$1,500, Medium $250-$600, Low $100-$200. Final decisions stay case-specific.

Submit Securely

Use Contact and say you are submitting an authorized security report. Include program identity and safe evidence.

If you accidentally reach sensitive data, stop immediately, report the issue, and include only the minimum redacted evidence needed for us to verify and fix it.