Disclosure / trust
Security
Private first, public later. If you have found something that weakens confidentiality, integrity, or availability of our properties, help us fix it before it spreads.
Threat model
What we want in scope
Triage lanes
In scope vs. noise
In scope
- Confirmed issues on domains and apps we operate.
- Partner integrations when the vulnerable component is ours to patch.
- Reasonable PoCs that avoid harming users or degrading live traffic.
Typically out of scope
- Scanner dumps without a working exploit chain.
- Missing generic headers with no concrete attack.
- Self-XSS or issues needing improbable social engineering.
- Third-party SaaS bugs — report to that vendor directly.
Protocol
How to report
Until a dedicated security mailbox and PGP key are published, route through the general contact form with a subject line that engineering can filter. Include the items below — dense reports get faster replies.
Asset & impact
Which hostname, binary, API route, or integration — and what an attacker gains at minimum.
Reproduction
Ordered steps, safe PoC attachments, and any hashes that prove file identity.
Severity read
Your CVSS-style opinion and blast radius — we may disagree, but it calibrates triage.
Bounty context
State if you are operating under a published program so finance knows how to route rewards.
Safe harbor (draft). When you act in good faith — no privacy violations, destruction, phishing our staff or players, or physical intrusion — we will not pursue legal action for aligned research. Counsel should finalize this paragraph before you rely on it legally.
Recognition
With your permission, we may credit researchers in release notes or a hall of fame page. Tell us if you prefer anonymity — we honor either path.
Add PGP keys, SLAs for first response, and explicit scope URLs (domains, apps, binaries) when your public attack surface is frozen.