Scopely
Welcome to Scopely's Bug Bounty Program! This program encourages and rewards contributions by security researchers who help make Scopely's mobile games and communities more secure. To recognise your efforts and the important role you play, we offer bounties for reporting valid security vulnerabilities to us.
| {F578740} | Scrabble® GO-Classic Word Game |
|--- | --- | --- | --- |
|{F526846} | YAHTZEE® With Buddies Dice Game |
|{F526847} | Dice With Buddies™ - The Fun Social Dice Game |
|{F1590342}| Looney Tunes™ World of Mayhem |
|{F1700748}| MARVEL Strike Force: Squad RPG |
|{F1749898}| Kingdom Maker (NEW!!)|
Some of our games share a common framework, please only create one report if the same issue appears in several games as this would be considered one issue in the framework.
Do be aware that the quality of your report is critical to your submission. To ensure your report is triaged and awarded as quickly as possible, please ensure reports are detailed and clear. Please include:
Your game user ID
Reproducible steps: Include detailed steps and any links you clicked on, pages you visited, URLs, user IDs, etc. If this contains more than a few steps, please create a video so we can attempt to perform the same steps
Impact
Use cases: Define the real-world scenarios where an attacker would be able to exploit this vulnerability
Fix suggestions where possible
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask:
If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our user's’ privacy.
Act in good faith not to degrade the performance of our services (including denial of service).
We are grateful to everyone who submits valid reports to help us improve the security of Scopely games, however only those that meet the following eligibility requirements may receive a monetary reward:
You must be the first reporter of the vulnerability
The vulnerability must be associated with an in-scope game or service
The report must adhere to the Reporting Checklist above
Follow HackerOne’s Disclosure Guidelines
Each bug is awarded a bounty based on its severity and creativity. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
We categorize security bugs in our service into impact categories:
| Vulnerability | Bounty Reward |
| ------------ | ----------------|
| Impacts the global game economy | $3000+ |
| Impacts global tournaments or leaderboards | $1500+ |
| Impacts individual's economy | $1500+ |
| Impacts the group, club, or faction | $1200+ |
| Impacts player privacy| $900+|
| Impacts player vs. player | $900+ |
| Impacts individual | $450+ |
| Impacts the security of the game service | $300+ |
| Impacts the security of additional services | $180+ |
Scopely will determine whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction.
Any vulnerability that affects the economy of a game or gives a player an unfair advantage over other players (cheating) is likely to qualify for the program. Vulnerabilities affecting the security of the company resources other than the live games service may qualify under the additional services category.
> Impacts the global game economy
> - Obtaining an In-App Purchase-backed item or currency illegally / outside of the intended design (usually an unlimited amount)
> - Modifying another user's data (currencies, inventories, progress, etc)
> - Giving or crediting illegal currencies to another user
> Impacts tournaments or leaderboards
> - Unfairly affecting leaderboard position (Please do not place #1 - #10 if an issue is identified).
> - Unfairly affecting tournaments and outcomes
> Impacts individual's economy
> - Obtaining currencies for your user illegally (usually a limited amount)
> Impacts the group, club, or faction
> - Unfairly affecting the success of a group, club, or faction
>Impacts player privacy
>- Obtaining personally identifiable information of one or more players outside of the intended design of the game.
> Impacts player vs. player
> - Game rigging / forcing a win
> Impacts individual
> - Obtaining personal game items illegally / outside of the intended design (experience, health, points, rank, rewards, other inventory systems)
> - Unfairly affecting the game progression system in a way that violates the designed progression track (achievements, badges, character stats, leveling up, move upgrades, etc)
> - Unfairly affecting time-based drops, rewards, or benefits
> Impacts the security of the game service
> - Any security bug that can materially impact the availability and integrity of our live games service (see exclusions)
> Impacts the security of additional services
> - Any security bug that can materially impact the availability, integrity and confidentiality of additional company services such as development resources, people management or data analytics (see exclusions)
If upon review of a report we do not find the vulnerability high enough impact or probability, we may choose not to fix. Reports deemed No-Fix by the team will not be eligible for a bounty and will be closed.
If upon review of a report the team decides to postpone a fix by adding the issue to their backlog, we may pay the bounty and close the issue in HackerOne so that it does not get stuck in Open/Triage for long periods of time. Duplicate reports will be linked to the closed HackerOne issue previously reported. Once the backlog issue is fixed, we will follow up on the closed report notifying of the resolution.
"Scanner output" or scanner-generated reports
"Advisory", "Informational" or based on "Best Practices" reports
Server misconfigurations without a proof of concept of how they can lead to a real vulnerability
Vulnerabilities in 3rd-party software such as frameworks, plugins or libraries (Wordpress, Jira, Discourse, Okta, Unity, ...)
HTTP headers hardening and recommendations (Clickjacking, X-Frame-Options, CORS, ...)
Subdomain takeovers will be marked as informative as they are already being tracked internally with tools to prevent this from happening and clearing out the dangling DNS entries
Any type of Denial of service (DOS) attacks
Social engineering of Scopely staff or contractors
Any physical attempts against Scopely property
Rate limiting testing or brute force attacks against any asset
Reports on other Scopely-owned assets that are not explicitly marked in scope in the list below, such as games, websites, domains, applications or endpoints. Are currently ineligible for monetary rewards. As they come into scope, they will be added to the in scope section below.
| Scope Type | Scope Name |
|---|---|
| android_application | com.pieyel.scrabble |
| android_application | com.withbuddies.dice.free |
| android_application | com.scopely.yux |
| android_application | com.aqupepgames.projectpepe |
| android_application | com.foxnextgames.m3 |
| android_application | com.gww.km |
| ios_application | com.pieyel.scrabble |
| ios_application | com.withbuddies.dice.free |
| ios_application | com.scopely.yux |
| ios_application | com.aqupepgames.projectpepe |
| ios_application | com.foxnextgames.m3 |
| ios_application | com.gww.km |
| web_application | *.scopely.io |
| web_application | *.scopely.com |
| web_application | *.withbuddies.com |
| Scope Type | Scope Name |
|---|---|
| web_application | confluence.scopely.io |
| web_application | jira.scopely.io |
| web_application | scopely.okta.com |
| web_application | bamboo.scopely.io |
This program crawled on the 2021-03-29 is sorted as bounty.
FireBounty © 2015-2024
