At Spil Games we take user safety seriously. We work continually to promote a safe gaming experience for our players. We recognize the important role played our lively group of independent safety testers, who voluntarily help keep Spil Games and our users secure. To show our appreciation for their efforts, we've adopted a Responsible Disclosure Policy. It encourages legitimate reports of security vulnerabilities, and in some cases involves a reward.
If you believe you've found a security vulnerability, we'd like to work with you to investigate it as quickly as possible. To make sure that we fully understand the scope of the problem, please include as much information in your report as possible, and describe how we can reproduce it ourselves.
Please do not make your research or findings public or share them with third parties before we've rolled out the fix. Publicly disclosing a vulnerability can put the entire community at risk, so we urge you to keep this private until a fix is rolled out from our side.
If you give us a reasonable amount of time (90 days) to respond to your report before making any information public and make an effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not file any lawsuits against you or ask law enforcement to investigate you, unless we have reason to believe that you're not acting in good faith.
GUIDELINES FOR RESPONSIBLE DISCLOSURE
If you believe that you've found a security vulnerability in a Spil Games operated user-facing website, please send an email to firstname.lastname@example.org with a thorough explanation of the vulnerability (for a list of domains please scroll down).
Please remember to include full details of the security issue, including proof-of-concept URL, the details of the system where the tests were conducted, and detailed reproduction steps.
Please also include the security issue category:
Broken authentication (including OAuth bugs)
Circumvention of platform/privacy permission models
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Injection (XML, SQL)
Remote code execution
When we receive your report, we'll send you a confirmation within ten (10) business days.
Please allow a reasonable time for us to investigate your findings.
To show our appreciation for our community of security testers, we offer a bounty for reporting certain qualifying security vulnerabilities.
A vulnerability must exist on one of the websites mentioned above.
To qualify for a bounty, you must:
- Adhere to our responsible-disclosure terms and conditions
- Give us a reasonable amount of time to respond to your report before making any information public, and avoid privacy violations, destruction of data, and interruption or degradation of our service during your research
- Be the first person to thoroughly report the vulnerability responsibly, including steps to reproduce it
- Report a vulnerability that could compromise the integrity or privacy of large amounts of Spil Games' user data
- Act in good faith
Our IT security team will assess each vulnerability to determine if it qualifies.
The following security vulnerabilities are NOT eligible for a bounty, and we do NOT recommend testing for these:
- Security vulnerabilities in third-party applications
- Security vulnerabilities in third-party websites that integrate with Spil Games websites
- Denial of service vulnerabilities
- Spam or social engineering techniques
- Brute force username enumeration and password cracking
- Flaws specific to old, out-of-date browsers and plugins
- Lack of secure or HttPOnly flag on non-sensitive cookies
- Logout cross-site request forgery
- Session expiry
A typical bounty is a €100 PayPal voucher.
We may increase the reward for certain specific reports, but the final amount is determined at Spil Games' discretion.
We award 1 bounty per qualifying security vulnerability.
After your submission, we should respond within ten (10) business days. We will keep you informed of the progress while resolving the issue. We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
If participating users/individuals do not adhere to the above mentioned policies, we reserve the right to take appropriate legal measures and/or get law enforcement involved.
This program is not open to minors, individuals on sanctions lists, or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. Nothing contained in this policy should be construed as creating or implying a joint venture, partnership, agency, or employment relationship between you and Spil Games. We reserve the right to amend the terms and/or cancel this program at any time. If you continue to participate, you accept such amended policy terms. The decision to pay a bounty/reward is entirely at our discretion. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.
The Spil Games Responsible Disclosure Policy is governed by Dutch law.