Bug Bounty
Our Bug Bounty Program rewards security researchers for identifying vulnerabilities in our systems. By using the CVSS framework, we classify vulnerabilities based on their severity and offer tiered rewards accordingly.
We use the CVSS scoring system to determine the severity of reported vulnerabilities. The reward tiers align with the CVSS score ranges as follows:
Critical (9.0–10.0): Severe vulnerabilities with high impact and ease of exploitation
High (7.0–8.9): Vulnerabilities with significant impact but more challenging exploitation
Medium (4.0–6.9): Moderate impact vulnerabilities with limited exploitation potential
Low (0.1–3.9): Low-risk vulnerabilities with minimal impact or likelihood of exploitation
Informational (0.0): Issues that do not pose a security risk but provide useful feedback
If your actions result in an outage or other real-world impact, you will forfeit all rewards.
Out-of-Scope Vulnerabilities
We aim to focus on impactful vulnerabilities and exclude low-value, low-risk issues that do not affect game security or user experience. Out-of-scope vulnerabilities include:
Low-Impact Findings
SPF, DMARC, or other email misconfigurations.
Common scanner findings without real-world impact (e.g., banner disclosures, outdated libraries without PoC exploitation).
Security headers (e.g., lack of
X-Frame-Options).
Game Mechanics
Bugs that affect gameplay but do not result in security, financial, or integrity risks.
Other Exclusions
Social engineering attacks (e.g., phishing or pretexting).
Denial of Service (DoS) attacks or rate-limiting issues.
Vulnerabilities dependent on physical access.
Theoretical vulnerabilities without a demonstrable exploit.
Reporting Guidelines
We encourage detailed and well-documented submissions for efficient processing. Reports must include:
Description: A detailed explanation of the vulnerability and its impact
CVSS Metrics: Provide a calculated CVSS score (we will verify)
Proof-of-Concept (PoC): Include reproduction steps or a working exploit
Important: Avoid testing in a way that could disrupt active games or cause outages. Reports causing outages with real-world impact will result in forfeiture of rewards.
Submit findings to security@playa3ull.games
All other forms of submission will not be accepted
Reward Structure
We strive to balance meaningful rewards for researchers with cost-effectiveness. Rewards are allocated as follows:
| Severity | CVSS Range | Reward |
|---|---|---|
Critical | 9.0–10.0 | Up to $5,000 |
High | 7.0–8.9 | Up to $1,000 |
Medium | 4.0–6.9 | Up to $500 |
Low 1 | 4.0-5.4 | $250 |
Low 2 | 2.5-3.9 | $100 |
Low 3 | 0.1-2.4 | $50 |
Informational | 0.1 |
Reward Notes:
Final rewards are determined based on CVSS score, impact, and exploitability.
Critical vulnerabilities may receive additional rewards based on business impact.
Terms
Rewards are discretionary and subject to compliance and legal review.
Only the first validated report for a vulnerability is eligible for a reward.
If your actions cause an outage or service disruption, you will forfeit your reward.
Vulnerability reports must not include attempts to exploit users or assets.
You must act in good faith, and in a professional like manner, and allow the team to process the request.
No Blackmail or Negotiation: Attempting to blackmail, extort, or negotiate rewards outside the bounds of this policy will result in immediate disqualification from the program, potential legal action, and reporting to relevant authorities. Submissions are reviewed and rewarded solely at our discretion, based on the criteria outlined in this policy.
By participating, you agree to these terms.
Last updated