03 Aug 2023
DestinyX Bug Bounty Policy
Introduction
At DestinyX, the safety and security of our users' online gaming experience are paramount. We are committed to maintaining a robust and impenetrable platform to protect our users' sensitive information and ensure the integrity of our services.
As part of our proactive approach to security, we have established a comprehensive Bug Bounty Program. This program aims to harness the expertise of skilled security researchers, hackers, and ethical hackers to identify and report potential vulnerabilities in our website and mobile applications. By encouraging responsible disclosure, we can swiftly address any security weaknesses and safeguard our platform from malicious actors.
Scope Our Bug Bounty Program encompasses the entire DestinyX online gaming platform. We invite participants to scrutinise the platform for any potential security vulnerabilities, with a focus on but not limited to the following areas:
Cross-Site Scripting (XSS): Identifying potential injection of malicious scripts in web pages viewed by users.
Cross-Site Request Forgery (CSRF): Detecting unauthorized actions initiated by an authenticated user unknowingly triggered by a malicious request.
Server-Side Request Forgery (SSRF): Uncovering potential exploitation of the server to access internal resources.
SQL Injection (SQLi): Identifying the manipulation of SQL queries that may lead to unauthorized access to the database.
Remote Code Execution (RCE): Discovering possible ways to execute arbitrary code on the server.
Authentication Bypass: Identifying weaknesses that may allow unauthorized access to user accounts or administrative privileges.
Privilege Escalation: Uncovering potential methods to gain elevated privileges within the platform.
Information Disclosure: Detecting leaks of sensitive information that could compromise user privacy.
Logic Flaws: Identifying logical errors that may lead to unintended behavior and security risks.
Denial of Service (DoS): Detecting vulnerabilities that may cause disruptions to the availability and performance of our platform.
PROGRAM POLICIES
DestinyX will not initiate legal action for security research conducted in accordance with this document even with accidental violations made with good faith. We consider activities conducted consistent with this policy to constitute “authorized” conduct under applicable laws.
If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action.
DestinyX cannot and does not authorize security research in the name of other entities. However, DestinyX reserves the right to forward details of any issues discovered in relation to a third party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers throughout this process.
Please receive permission from our Security team before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.
Researcher Requirements
Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
- Providing DestinyX with a reasonable amount of time to fix a vulnerability before sharing details of the vulnerability with any other party.
- Making a good faith effort to preserve the confidentiality and integrity of any DestinyX customer data.
- Not defrauding DestinyX customers or DestinyX itself while participating in the Bug Bounty Program.
- Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from DestinyX.
- Reporting vulnerabilities with no conditions, demands, or ransom threats.
- Any and all data or information obtained from any actions associated with the vulnerabilities are to be submitted to DestinyX and are to be destroyed at least one day after receipt of reward.
- No personal information inadvertently obtained is to be saved, copied, stored, transferred, or otherwise retained.
- Avoid modifying, destroying, interrupting, or accessing data that does not belong to you or at the degradation of our services.
Exclusions
While we encourage thorough testing, the following activities are strictly prohibited and not within the scope of our Bug Bounty Program:
- Social Engineering and Phishing: Any attempt to manipulate or deceive our employees, users, or systems.
- Physical Attacks: Actions targeting our data centers, offices, or personnel are strictly prohibited.
- Automated Scanning and DoS Attacks: Engaging in automated scanning or launching denial-of-service attacks against our platform is not allowed.
- Unauthorized Access to User Data: Researchers must not attempt to access, modify, or delete user data without explicit permission.
- Harming Platform or Users: Activities that may cause harm to our platform or users are strictly forbidden.
Rewards
To acknowledge and incentivize responsible reporting, we offer monetary compensation to researchers based on the severity and potential impact of the reported vulnerability. The reward levels are categorized as follows:
Critical Vulnerabilities: Up to $1,500
High Severity Vulnerabilities: Up to $1000
Medium Severity Vulnerabilities: Up to $500
Low Severity Vulnerabilities: Up to $100
The payouts listed above are minimum bounties per Category. Bonuses in excess of the vulnerability category minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports which is determined by our sole discretion.
Previous bounty amounts are not considered precedents for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.
Bounty Reward arrangements under this program, including but not limited to the bounty amount, a form of payments, and timing, are at Finblox’s sole discretion and will be made on a case-by-case basis.
Any participants involved in the Bug Bounty Program are responsible for any liability associated with taxation with Bounty award payments. Finblox makes no representation in regards to the tax consequences of said payments under any circumstances in this program.
Submission Guidelines
We encourage security researchers to adhere to the following guidelines when submitting vulnerability reports:
- Submission via Email: Vulnerability reports must be submitted via email to [email address].
- Comprehensive Description: Provide a clear and concise description of the vulnerability, including step-by-step instructions to reproduce it.
- Platform Component Details: Include information about the affected platform component (e.g., website or mobile app).
- Contact Information: Provide your contact details for communication and reward issuance purposes.
-Responsible Disclosure: Researchers must not disclose or exploit the vulnerability to any third parties or publicly disclose it until we have had a reasonable time to respond and address the issue.
Responsibilities
We are dedicated to our platform's security and users' safety. As part of the Bug Bounty Program, our responsibilities include:
- Prompt Acknowledgment: We will promptly acknowledge receipt of the vulnerability report.
- Thorough Investigation: Our security team will conduct a comprehensive investigation to validate the reported vulnerability.
- Transparency: We will inform researchers about their reports' status and any necessary remediation steps.
- Timely Reward: Researchers who responsibly disclose valid security vulnerabilities will be promptly rewarded.
Legal Safe Harbor
Our Bug Bounty Program operates under a legal, safe harbor policy, meaning that we will not initiate any legal action against security researchers who identify potential vulnerabilities in good faith, provided they adhere to the guidelines outlined in this policy.
Conclusion
For any inquiries or vulnerability reports, please contact [email protected]. We welcome your partnership in our pursuit of an impenetrable and enjoyable gaming experience for all.