Bug Bounty Program
We at Spielworks are committed to providing our customers with a safe and secure platform. As part of our ongoing efforts to maintain the highest level of security, we are launching a bug bounty program to encourage and reward responsible disclosure of any security vulnerabilities.
Eligibility
The bug bounty program is open to anyone who finds a security vulnerability in our platform. However, employees, contractors, and partners of Spielworks are not eligible to participate in the program.
SCOPE
The bug bounty program covers any security vulnerability that could impact the confidentiality, integrity, or availability of our platform. This includes but is not limited to:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection
- Remote code execution
- Authentication and authorization issues
- Privilege escalation
- Server-side request forgery (SSRF)
- Information disclosure
- Denial of service (DoS)
- Brute force attacks
- Social engineering attacks
- Any other vulnerability that could compromise the security of our platform
Limitations
- Only the first person to report a unique vulnerability will be eligible for a bounty
- The bug bounty program is not a license to perform destructive testing, and any activities that could harm the availability or integrity of our platform are strictly prohibited. Testing or other actions which cause any noticeable service disruption with user, financial and/or reputation impact for Spielworks will disqualify the participant from being considered for any bounty whatsoever and may result in legal action
- Any vulnerabilities found as part of automated scanning or testing tools are not eligible for the program
- Any vulnerabilities found in third-party applications, libraries, or frameworks used by our platform are not eligible for the program
- Any vulnerabilities found in services or systems that are not owned or operated by Spielworks are not eligible for the program
- Any attempts to access or modify data other than your own is strictly prohibited and may result in legal action
Responsible Disclosure
We take the security of our platform very seriously and ask that all participants in our bug bounty program comply with responsible disclosure practices. This means that vulnerabilities should be reported to us promptly, and all testing should be performed in a manner that minimizes the risk of unintended consequences. Found vulnerabilities should never be made public until and unless they are confirmed to be resolved by the Spielworks team.
Submitting a Bug Report
If you have found a security vulnerability in our platform, please follow these steps to submit a bug report:
- Send an email to security@spielworks.com with the subject line "Bug Bounty Report."
- Provide a detailed description of the vulnerability, including the steps to reproduce it.
- Include any supporting materials such as screenshots, code snippets, or logs.
- If possible, provide a proof of concept (PoC) that demonstrates the vulnerability.
- Indicate the severity of the vulnerability according to the following guidelines:
* Critical: vulnerabilities that could lead to the compromise of user data, system resources, or customer information, or any vulnerability that could result in a complete system compromise and/or prolonged downtime.
* High: vulnerabilities that could lead to the disclosure of sensitive information, unauthorized access to user accounts, short term systems downtime or other serious impacts.
* Medium: vulnerabilities that could lead to the compromise of less sensitive information, such as email addresses or usernames, or other moderate impacts
* Low: vulnerabilities that have minimal impact on the security or availability of the platform.
Payouts
We offer the following payout tiers based on the severity of the vulnerability. Payouts are done in $WOMBAT tokens on the chain of choice, using the current exchange rate on the day of the payout (https://www.coingecko.com/en/coins/wombat).
- Critical: up to $1,000
- High: up to $500
- Medium: up to $300
- Low: up to $100
Please note that the final payout amount will be at our discretion, based on the severity and impact of the vulnerability. We reserve the right to modify or terminate this bug bounty program at any time.
Thank you for helping us maintain the security of our platform!