SECURITY Reporting Guidelines

This document provides guidelines for reporting security vulnerabilities to Theorycraft Games. It is intended to offer helpful structure for submissions but does not constitute a legal agreement, promise of action, or guarantee of response.

1. Security at Theorycraft Games

Theorycraft Games is dedicated to ensuring the security and enjoyable experience of our players. We recognize the importance of community reports and appreciate the contributions of ethical researchers towards maintaining the integrity of our games and platforms.

2. Bug Bounty Program

While we don't have a formal bug bounty program, we sincerely appreciate all reports. Rewards may be offered at our sole discretion for vulnerabilities classified as high or critical severity. Please remember that these rewards are discretionary, not guaranteed, and subject to budgetary considerations!

3. Key Considerations

The following considerations should be taken into account when reporting vulnerabilities:

  • Disruption: Do not disrupt gameplay or services

  • Access: Do not access or modify sensitive player data

  • Legitimacy: Use legitimate methods only; no DDoS attacks, brute force attempts, or other malicious activities

  • Timing: Please allow a reasonable timeframe for acknowledgment and resolution

4. What to Include in Your Report

The following should be included in reports:

  • Reporter Information: Your name, location, and contact details

  • Affected System/Platform: Specify the game, system, or platform affected

  • Vulnerability Description: Detailed explanation of the issue and its potential impact on gameplay or player data

  • Steps to Reproduce: Provide a clear, step-by-step guide or proof-of-concept

  • Suggested Remediation: If known, suggest steps to fix the vulnerability

To ensure clarity and thoroughness we respectfully request that reports include adequate information. Additional context and insights are especially helpful for reports that include output from automated tools. Incomplete or partial submissions may not meet our review criteria.

5. Exclusions

Some items are not eligible for payouts, including:

  • Already Known Vulnerabilities: Previously reported or known vulnerabilities

  • Automated Scans: Output from automated scans or tools without manual verification or context

  • Third Party: Third-party libraries or software not directly managed by Theorycraft (unless critical to game security)

6. Third-Party Bugs

We may forward third-party vulnerabilities to respective vendors as resolution may require that they are informed of the technical details.

7. Report Submission and Response Targets

Reporting generally follows the following outline:

  1. Submission: Reports may be submitted to [email protected]

  2. Acknowledgment: We aim to acknowledge reports within 3 business days

  3. Initial Triage: An initial assessment within 10 business days

  4. Resolution: High and critical issues will be prioritized for prompt resolution

8. Confidentiality

Reporters are requested to keep vulnerabilities confidential until a resolution is reached or sufficient time has passed for mitigation without causing harm. We want to protect our players!

THANK YOU!

We sincerely thank all researchers for their efforts in enhancing our system’s security!

Security Contact: [email protected]