Bigosaur Vulnerability Disclosure Policy

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Perform research only within the scope set out below.
• Use the identified communication channel at the end of this page to report vulnerability information to us.
• Keep information about any vulnerabilities you’ve discovered confidential until we’ve had 90 days to resolve the issue.
• Not ask for payments. We are a small company, and might reward someone if an issue with significant impact is found, but we do not promise any monetary reward. We only promise to add your name to Hall of Fame page if the issue is confirmed as valid.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research.
• Confirm your report within 72 hours. Please note that we are a very small team, and rare situations can happen when we lose Internet access for prolonged period.
• Work with you to understand and resolve the issue quickly.
• Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope

Servers running our online games:

• lora.bigosaur.com
• meksiko.bigosaur.com
• euchre.bigosaur.com

Out of scope

Any services hosted by 3rd party providers. For example, we might use a CDN to host images or a shared web hosting company to host some informational content. The scope only covers our dedicated game servers that contain sensitive user data.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

• Findings from physical testing such as office access (e.g. open doors, tailgating)
• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the ‘Scope’ section
• UI and UX bugs and spelling mistakes
• Reports that only claim some software not being updated to the latest vendor release version. Some vulnerabilities might not apply to the way we use that software or the operating system version we are using. You have to demonstrate an actual security vulnerability, not just some false positive by some scanning tool.
• Network level Denial of Service (DoS/DDoS) vulnerabilities

If you are unsure whether something is out of scope, feel free to contact us via e-mail listed on this page.

Information we don't want to receive

Unless specifically instructed, please do not share any of the following:

• Personally identifiable information (PII)
• Data related to any payment methods (ex. Credit Cards information)

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@bigosaur.com. Please include the following details in your report:

• Description of the location and potential impact of the vulnerability
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and screen captures are all helpful to us)
• Your name/handle and a link for recognition in our Hall of Fame

If you’d like to encrypt the information, please use our PGP key.

This page was last updated on 2021-09-29.