There used to be an unwritten rule in spreadsheets not to publick e-mail address of the participants. But now this information appears very often and spammers are actively using it.
Those ICO/IEO projects always claim that they would make sure the emails of their participants is kept private, but down the road now, we're too aware that plenty of them don't, they either use it to send scam attempt emails or they sell it to those who would, do we even talk of what they do with the KYC documents submitted to them.
If majority of them are scam, which they are, then why wouldn't they sell the emails or send such messages, it's another way of trying to scam people other than through their shit bounty projects. I have totally lost faith in ICO bounties.