Bug Bounty Program
GGPoker Bug Bounty Program
The primary purpose of the GGPoker Bug Bounty Program (“Program”) is to bolster the security and to ensure the integrity of our services by providing a platform for cybersecurity experts to submit potential concerns. These concerns will then be addressed in order to enhance the robustness of our services.
GGPoker greatly appreciates the collaboration with security researchers from around the world, as it helps us ensure the safety of our valued customers. We recognize the important role that security researchers play in identifying vulnerabilities that may have been missed during the software development process. Through Coordinated Vulnerability Disclosure (“CVD”), these vulnerabilities can be shared and addressed in a timely manner.
For more information about CVD, review the information available at the following links:
- ISO/IEC 29147:2018 on Vulnerability Disclosure
- The CERT Guide to Coordinated Vulnerability Disclosure
If you have discovered a vulnerability in GGPoker’s services, we kindly ask that you contact us. If your vulnerability report affects services covered by one of the reward programs listed below, you may be eligible for a reward as described in the program description.
The Program is open for submissions at all times and the eligibility for the rewards component of this Program requires participants to agree to the following terms and conditions as provided herein. Additionally, by submitting an entry to the GGPoker Bug Bounty Program, both parties are in acceptance of the terms and conditions.
The GGPoker Bug Bounty Program is subject to the legal terms and conditions and bounty safe harbor policy described here.
SUBMISSION SCOPE OF THE REPORTS
The table above outlines the service domains for GGPoker, which are subject to changes.
WEB
| *.ggpoker.com | *.ggpoker.co.uk | *.ggpoker.nl | *.ggpoker.de |
| *.ggpoker.ca | *.ggpoker.be | *.ggpoker.eu | *.pokercraft.com |
PC CLIENT
| Windows | ClubGG | GGPoker |
| MAC | ClubGG | GGPoker |
MOBILE CLIENT
| Windows | ClubGG | GGPoker |
| MAC | ClubGG | GGPoker |
BOUNTY SCOPE
Rewards are reserved for vulnerabilities that have the potential to negatively impact the confidentiality and/or the integrity of our services due to design and/or implementation issues:
| Stored Cross- Site Scripting (SXSS) | XML External Entity Attacks (XXE) |
| Cross-Site Request Forgery (CSRF) | Server-Side Request Forgery (SSRF) |
| Insecure Direct Object References (IDOR) | Buffer Overflow (BOF) |
| SQL Injection | Directory Traversal Issued |
| Authentication Bypass | Remote Access Control |
| File upload and execution to/on servers | Privilege Escalation and Bypass |
| Exposure of Sensitive Information | Unauthorized Access to Sensitive Resources |
OUT OF BOUNTY SCOPE
Examples of vulnerabilities and situations that are not eligible for rewards are:
| Vulnerabilities that cannot be reproduced at the time of reporting or are already recognized by the company | Vulnerabilities in third-party platforms not developed by GGPoker |
| Acquisition of any data that exceeds the minimum requirement to demonstrate the existence of a vulnerability | If the same vulnerability is found through multiple attack vectors, only one will be considered |
| Vulnerabilities that require physical access to
another person’s device |
Vulnerabilities presented without proof of concept. |
| Vulnerabilities with minimal potential harm or low impact | Vulnerabilities occurring on rooted or jailbroken devices |
| Vulnerabilities involving sensitive personal information | Vulnerabilities on browsers or platforms with expired support |
| Mobile Deep Link vulnerabilities | Violations of password, session cookie, authentication token security policies |
| Reflected XSS, Self XSS | URL Redirection |
| Posting, commenting, or messaging in bulk (Bot, Macro) | SSL/TLS Cipher Suites or Protocol Version-related vulnerabilities |
| SPF, DMARC, DKIM policies, and Email Spoofing in mail servers | DLL Hijacking, DLL Injection possibilities. |
| Server or client service denial-of-service attacks (DoS) | Exposure of version information, error messages, or simple status information |
| Bugs that require excessive user interaction or assumptions | Direct access to static resources like images or videos through URL input |
| Leakage of internal IP or domains | Reports not submitted using the provided template |
| Pre-disclosed vulnerabilities | Missing HTTP security headers |
| Other non-security-related bug |
BOUNTY AMOUNT
Bounty amounts are denominated in USD and will be transferred to the participants’ personal accounts. The bounty amount is deliberated by taking into account multiple factors, including but not limited to the report form and the criteria outlined below.
The following factors determine your reward tier and rewards:
- Assets Importance level:
The importance of the asset or service on which the reported vulnerability/vulnerabilities may have an effect. The primary assessment is the impact of compromising the confidentiality, integrity, and availability of the service.
| High | A vulnerability that may have a critical impact on company assets or services if exploited upon |
| Medium | A vulnerability that may have a major impact on company assets or services if exploited upon |
| Low | A vulnerability that may have a minor impact on company assets or services if exploited upon |
- Risk/Threat level:
The severity of the impact to service coverage, quality, and continuity that could result from the vulnerability.
| High | A server-side vulnerability or automatable attack that may cause a prolonged impact on critical services. The possibility of mass-theft of private/sensitive information of other users (account/private information or any other information inaccessible by normal means).
ex) Stored XSS, SQL Injection, RCE etc. |
| Medium | A vulnerability that may cause a short-lived effect on a limited amount of services.
A vulnerability that can be exploited for theft of a specific or limited number of individuals. |
| Low | A low service impact that has minimal effect on service continuity/integrity
Guessing, randomized attacks that innately involve probability for exploitation of the vulnerability |
- Technical Complexity level:
We rate by technical complexity, such as the conditions for exploiting the vulnerability or the prerequisites for exploiting the vulnerability. The more technically easy the vulnerability, the higher the score.
- User interaction: Whether or not a user interaction is a prerequisite to recreate the issue; i.e.) a user must click an attacker’s link or must install a program to their environment for the vulnerability to be exploited); and
- Complexity: The presence of a specific circumstance that is required to exploit the vulnerability; ie) sharing the same local network as the attacker, access to sensitive information).
| High | A user interaction is not required for exploiting the vulnerability and can be reproduced independent of any particular circumstance.
A method such as automation can be utilized to bypass a circumstance requirement even if one exists. |
| Medium | A user interaction is not required, but there is a small dependency on circumstance; ie) must be sharing a local network, or required access to sensitive information beforehand. |
| Low | A user interaction is required to exploit the vulnerability.
There is a large dependency on the circumstance in order to exploit the vulnerability. |
- Quality of Report:
The more detailed the step-by-step description of how to reproduce the vulnerability, including exploit or proof-of-concept code snippets, the more points will be awarded.
| High | Thorough analysis of the issue, feasible remediation plan, presence of PoC and exploit code. |
| Medium | A High level on any of the three assessment criteria |
| Low | All criteria are present in the report, but critical information is missing on how to recreate the issue, or a non-functional PoC. Not all of the criteria and present, and only a potential for an exploit is suggested |
Considerations:
- The four criteria above are considered when deciding the reward rating.
- Of the four main criteria the ones that affect the rating are the following:
- Assets importance level;
- Risk/Threat level; and
- Technical Complexity level.
It should be noted that those criteria are not weighted and their order does not signify priority.
- The Quality of Report will not affect a reward rating tier; however, it may influence the reward amount allocated within the specified range for each tier.
| Rating | Amount (USD) |
| Critical | 20K ~ 50K |
| High (5) | 11K ~ 15K |
| Medium High (4) | 5.1K ~ 10K |
| Medium (3) | 3.1K ~ 5K |
| Medium Low (2) | 1.1K ~ 3K |
| Low (1) | 100 ~ 1K |
GGPoker Bounty Term and Conditions
PROGRAM OVERVIEW
The Program allows Participants to submit vulnerabilities and exploits to GGPoker’s products and services to GGPoker for a reward in an amount determined by GGPoker. GGPoker’s decisions regarding bounties are final and binding. GGPoker may change or cancel this Program at any time and for any reason in its sole discretion.
CHANGES TO THESE TERMS AND CONDITIONS
GGPoker may change these Terms and Conditions at any time. Participation in the Program after changes become effective means that you agree to the new terms. If you do not agree to the new terms, you should not participate in the Program. If you wish to withdraw from the Program and not be eligible for Bounties, please contact [email protected].
PROGRAM ELIGIBILITY
- You must be at least 19 years of age and have the legal capacity to enter into and be bound by the Bug Bounty Programs bounty terms and conditions in your individual capacity. GGPoker reserves the right to verify the age of any Participant and may disqualify any Participant found not to be in compliance;
- If you are an individual researcher participating in an individual capacity or work for an organization that allows participation, you are responsible for reviewing your respective employer’s rules for participation in the Program;
- Participants must use English for communication throughout their participation;
- Communication should occur via email
You ARE NOT eligible to participate in the Program if you meet any of the following criteria:
- You are under the age of 19;
- You are a public servant/gov employee;
- Your employer or organization does not permit your participation in this type of program;
- You are a current employee of GGPoker, an associated employee, or an immediate family member (parent, brother, sister, spouse, child);
- Within the five years prior to providing us your Submission (as defined below) you were an employee of GGPoker; or
- You currently (or within six months prior providing to us your Submission) perform(ed) services for GGPoker or a GGpoker subsidiary in an external staff capacity that requires access to the GGPoker Network, such as agency temporary worker, vendor employee, business guest, or contractor;
- You are or you reside in a country on a UN sanctions list.
SUBMISSION PROCESS & COORDINATED VULNERABILITY DISCLOSURE
If you believe you have identified a vulnerability that meets the requirements set forth in the Program, you may submit it to GGpoker as detailed below.
Each vulnerability you submit to GGPoker is considered a submission (“Submission”). Submissions should be sent to [email protected]. The first email should state the name of the bounty program to which you are submitting, the details of the vulnerability, and the specific product version used to validate your research. Include as much information as possible:
- Type of issue (cross- site scripting, SQL injection, buffer overflow, etc.)
- Provide any necessary configuration to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof of concept or exploit code
- The impact of the issue, including how an attacker could exploit it
You must follow the CVD when reporting all vulnerabilities to GGPoker. Submissions that do not follow CVD may not be eligible for bounties, and failure to follow CVD may result in disqualification from future program participation.
Well-written reports and feature exploits have the potential for higher bounties. Submissions that do not meet the minimum criteria outlined above will be considered incomplete and will not be eligible for a bounty.
GGPoker is not responsible for Submissions that are not received for any reason. If you do not receive a confirmation email after submitting, please contact [email protected] to confirm that your Submission has been received.
There are no restrictions on the number of qualified Submissions you can provide and subsequently receive payment.
If you submit a vulnerability for a product or service that is not covered by the Program at the time of submission, you will not be eligible for a bounty if that product or service is later added to the Program.
SUBMISSION LICENSE
Upon submission of the vulnerability to GGPoker via email, the Participant transfers copyright in the Submission to GGPoker, which is free to exercise and dispose of such rights:
- Participants cannot claim or enforce any copyright in the Submission against anyone designated by GGPoker;
- You understand and acknowledge that GGPoker may have developed or commissioned material similar or identical to your Submission, and you waive any claims that may arise from any similarity to your Submission;
- You understand that you are not guaranteed any compensation or credit for the use of your Submission
The Program Participant must submit their own work and not use copyrighted or collaborative content from others. The Program Participant represents and warrants that they have the legal right to provide the Submission to GGPoker.
CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE
GGPoker considers customer protection a top priority and strives to secure each vulnerability report immediately. Participants are expected to provide sufficient time and information to respond to security vulnerabilities.
The Bug Bounty Program operates on a principle of confidentiality. Participants must refrain from disclosing, sharing, or leaking any information about vulnerabilities or information obtained through the Program to third parties. Failure to comply may result in disqualification and potential legal consequences.
Participants are prohibited from disclosing any security vulnerabilities they discover, even after receiving the bounty, without approval from GGPoker.
Participants should strive to prevent privacy violations, data corruption, or service degradation during the security vulnerability analysis process.
The list of prohibitions is below:
- External disclosing of findings without GGPoker consent;
- Automated scanning or random guessing attacks;
- Unauthorized access to others’ data, including viewing, disclosing, deleting, or modifying;
- Using discovered vulnerabilities to view, disclose, delete, or modify corporate assets;
- Exploiting discovered vulnerabilities;
- Conducting attacks that violate the spirit of the Bug Bounty Program or any other applicable law;
- Submitting false or unfounded accusations, slandering, or defaming;
- Transferring or providing the right to receive rewards to third parties or offering it as collateral;
- Infringing any third-party intellectual property; and
- Any other activities that go against the purpose and intent of the Bug Bounty Program.
Failure to adhere to the above may lead to legal consequences under the applicable legislation including but not limited to the: Computer Fraud and Abuse Act (CFAA), Digital Millennium Copyright Act (DMCA), or the copyright laws of the Participant’s respective country.
- H.R.2281 – 105th Congress (1997-1998): Digital Millennium Copyright Act
- The Digital Millennium Copyright Act | U.S. Copyright Office
- 9-48.000 – Computer Fraud and Abuse Act | United States Department of Justice
Should a Participant be found to have violated any of the foregoing, you will be required to return any bounties paid for that vulnerability and may be disqualified from future participation in the Program.
SUBMISSION REVIEW PROCESS
After your Submission is sent to GGPoker, a GGPoker engineer will review your Submission and determine if it is eligible. The review time for your Submission will depend on the complexity and completeness of your Submission and the number of Submissions received.
GGPoker reserves the sole right to determine which Submissions are eligible for any bounty payment.. If multiple reports are received for the same issue from different Participants, the bounty will be paid to the first eligible submitter. If the duplicate reports provide new information not previously known to GGPoker, a differential payment may be made to the Participant submitting the duplicate report.
If you submit a vulnerability without a working exploit, you may be eligible for a partial bounty. However, if you submit a working exploit within 30 days from your Submission, you may be eligible for an additional bounty.
BOUNTY PAYMENTS
GGPoker’s decisions regarding bounties are final and binding.
If your Submission is eligible for a bounty under the terms of the applicable product program, we will notify you of the bounty amount and provide you with the necessary documentation to process payment. If you do not wish to receive a bounty, you may waive payment.
In case of any dispute regarding the identity of an Eligible Participant, we will consider the authorized account holder of the email address used to enter the Program as the Eligible Participant..
Before receiving a Bounty, a successful Participant will be subject to identity validation and confirmation screening (in the sole discretion of GGPoker). Such validation to be completed within 30 days of notification of validation. If you do not complete the required forms as instructed or return the required forms within the timeframe specified in the notification message, the bounty payment may not be made. We can’t process your payment until you’ve fully completed and returned any requested documents.
If your Submission is eligible for a bounty, please note:
- Reward amounts are denominated in USD and will be transferred to the Participants’ personal bank accounts
- Requests for third-party payments or gift cards are not considered;
- While some rewards may be in the form of GGPoker’s goods or merchandise, the contents may vary depending on the time of the payment; and
- If a Participant is unable or refuses to accept the bounty, we reserve the right to revoke the bounty
- If you accept an award, you are solely responsible for all applicable taxes associated with accepting the payment(s).
GGPoker is committed to honoring the hard work and dedication of its participants by not violating any bounties offered.
PUBLIC RECOGNITION
GGPoker may publicly recognize Participants who have been awarded a Bounty. Participants may also be recognized by inclusion in web properties or other printed materials unless they have expressly requested that their identifying information not be disclosed.
PRIVACY
Please review the GGPoker Privacy Policy Disclosure for information regarding the collection and use of your information in connection with the Program:
GGPoker Bounty Legal Safe Harbor
Summary
GGPoker wants Participants to disclose responsibly through the Bug Bounty Program, and we don’t want researchers to fear legal consequences for their good faith attempts to comply with the Bug Bounty Policy. We cannot bind third parties, so don’t assume that these protections extend to them. If you are unsure, please contact us before taking any specific action that you believe may be outside the scope of the policy.
Because both identifying and non-identifying information can put researchers at risk, we limit the information we share with third parties. We may provide non-identifying substantive information about a reporter to an affected third party, but only after notifying the reporter and obtaining a promise that the third party will not take legal action against the reporter. We will only share identifying information (such as name, email address, phone number, etc.) with third parties if you give us written permission.
If a security investigation that is part of the Bug Bounty Program violates certain restrictions in the Site Policy, a limited waiver is granted under the terms of the safe harbor.
Safe Harbor Terms
To encourage research and responsible disclosure of security vulnerabilities, GGPoker will not take civil or criminal action or send notices to law enforcement for accidental or good faith violations of the GGPoker Bug Bounty Terms and Conditions (“this Policy”). GGPoker considers security research and vulnerability disclosure activities conducted pursuant to this Policy to be “authorized” under applicable computer fraud legislation, applicable copyright legislation and applicable computer usage legislation including but not limited to the Computer Fraud and Abuse Act, the DMCA CA Criminal Code R.S.C., 1985, c. C-46. GGPoker hereby waives any potential claims we may have against Participants who bypass technical measures we have used to protect the application in the scope of the Program.
If a Participant’s security research involves the networks, systems, information, applications, products, or services of a third party other than GGPoker, please understand that we cannot bind that third party, and that third party may pursue legal action or law enforcement notification. We cannot and do not authorize security research in the name of another entity, and we cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your conduct.
Participants must comply with all applicable laws and refrain from interfering with or damaging data beyond the scope of our bug bounty program.
Please contact us before engaging in any conduct that is inconsistent with this Policy or not covered by this Policy. We reserve the sole right to determine whether your conduct violates this Policy.
Notwithstanding the foregoing in the event legal action is commenced by a third party including law enforcement or a regulator, because of your participation in the Program, and you have complied with this Policy, we will take steps to make such compliance known but despite any objection we may be compelled to assist in such legal action.
