We have a Web Application build with AngularJS and Laravel, running on Apache+MySQL Debian server.
I'll give you the web address of a test installation and you should try a way to enter the web interface, or try to get any information that should stay provate.
In case you can't enter the application anche you can say it is secure, I should get the list of attempts you made.
After that I'll five you an unprivileged user account to that application and starting from that you should try to get more rights or collect informations that should not be visible to the user.
You SHOULD NOT try to force the SSH access to the machine, as the production machine will be under firewall. Just WEB will be accessible.
In case you'll find anything important concerning secutiry of our application, you'll get a 50€ extra bonus. Of course you should give us useful info to fix the security issue.