Secure transport and browser protections
Public routes are served over HTTPS and ship with HSTS, clickjacking protection, MIME-sniffing protection, a restrictive referrer policy, a permissions policy, and a content security policy.
Security
Security controls, data handling, and responsible disclosure.
The protections currently built into the public site, application flow, and admin workflow. How we secure transport, protect sensitive identifiers, control document access, and handle good-faith vulnerability reports.
Updated 2026-04-23
Security controls in production
Application session controls
Draft applications are protected by high-entropy session tokens. Resume links rotate the token when they are used, and write actions like autosave, upload, and submit require the current token.
Sensitive identifier encryption
Social Security and EIN values are encrypted with AES-256-GCM before storage. Exact-match lookups use a keyed hash so the application does not need plaintext values for routine matching.
Restricted admin access and audit logging
Admin routes require authenticated staff accounts with role checks. Sensitive identifier reads in the admin flow generate audit entries, and production reads fail closed if audit logging cannot be written.
Document access by signed links
Document uploads use short-lived signed upload links. Stored files are not published at stable public URLs, and admin downloads are issued through expiring signed links.
Abuse controls on sensitive routes
Application creation, autosave, document, two-factor, and submit routes are rate limited to reduce abuse and credential-stuffing style traffic.
Data handling commitments
These statements reflect the way the application and admin tooling are wired today.
We do not sell applicant personal information.
Resume and write actions in the application flow are tied to the current session token, not just the application ID.
Draft responses return masked versions of sensitive fields until access is explicitly authorized in the admin workflow.
Uploaded documents are sent over TLS and accessed through expiring signed links instead of public file paths.
If we confirm a security incident affecting personal information, we notify affected parties as required by applicable law.
Disclosure program scope
Before testing, please review what is and is not in scope. The rules below apply to every researcher equally.
In scope
- icg-funding.com and all subdomains we operate
- The public marketing site, applicant portal, and API endpoints we host
- Authentication, session handling, and access-control logic
- Handling of sensitive identifiers and uploaded application documents
Out of scope
- Systems, infrastructure, or software we do not own or directly control
- Denial-of-service, volumetric, or resource-exhaustion attacks
- Social engineering, phishing, or physical attacks against ICG staff or offices
- Findings that require a rooted, jailbroken, or otherwise compromised end-user device
- Reports based solely on outdated software versions without a working proof of concept
- Best-practice observations without a reproducible security impact
Safe harbor
Good-faith research conducted under this policy is authorized. We will not pursue or support legal action against researchers who follow the rules below, and we will work with you if a third party raises a concern about your activity.
Give us a reasonable time to investigate and remediate before any public disclosure.
Only interact with accounts, data, and systems you own or have explicit permission to test.
Do not access, modify, or exfiltrate data belonging to other applicants or staff.
Do not degrade our service for other users. Stop testing and report immediately if you encounter personal data.
Do not use automated scanners that generate excessive traffic against production.
Responsible disclosure
If you believe you found a vulnerability that affects ICG Funding or applicant data, email security@icg-funding.com. Include the affected URL or endpoint, a proof of concept, and enough detail for us to reproduce the issue safely.
We acknowledge valid reports within two business days. If your testing follows this policy, we do not pursue good-faith security research. Do not access, modify, or exfiltrate data that does not belong to you.
Include in your report
- The affected URL, page, or endpoint
- Clear reproduction steps or a proof of concept
- What access you were able to obtain and what the real-world impact is
- Your IP address, account, or timestamps if they help us correlate logs
A machine-readable policy is available at /.well-known/security.txt.
Security contact
security@icg-funding.comValid reports are acknowledged within two business days.
Privacy questions
privacy@icg-funding.comAcknowledgments
We publicly thank researchers who have responsibly disclosed valid vulnerabilities, with their permission. ICG Funding does not currently operate a paid bug bounty.
No reports have been acknowledged yet.
Your business isn’t waiting. Neither should your capital.
Financing up to $1.5M with no hard credit pulls within 24 hours.
Average time to first offer: 3 hours