Security is the utmost highest priority at Enjin. Despite the heavy attention to detail, we understand that bugs are present within all pieces of technology - that includes our own. It's for that reason why we love to work with talented security researchers, around the world, to assist us in identifying and securing our systems and applications.

If you suspect that you've identified a security bug within any of our services, that are listed as "In Scope," then we will gladly work with you in order to ensure a rapid resolution of that issue and (for both your time and ethical disclosure) we will compensate you for your discovery.

Scope

Please refer to the "Scopes" section (below) for information about what assets we consider as being "In Scope." Vulnerabilities reported against any other assets are considered Out of Scope, and therefore will not be eligible for any bounty.

Note that the /cdn-cgi/* path is controlled by our Content Delivery Network, Cloudflare. Therefore, any submissions pertaining to this path will be marked as Out of Scope and therefore Not Applicable.

Responsible Disclosure

We respect the work that the security research community provides and we ask that you act in good faith when working with us. For that reason, we ask that you abide by the following whilst participating within our program:

• Limit testing to accounts you own and do not impact other users. If you encounter any user data, including but not limited to usernames, emails, or passwords, please report it to us immediately and stop testing right away.
• When testing, you should only do the minimum required to validate a vulnerability. In cases where it may impact our systems or users, please get in-touch with [email protected] first to confirm whether you have permission to proceed. No matter what the case is, never damage or leave any system in a more vulnerable state than when you discovered it.
• Do not follow "the rabbit hole" by continuing to dig deeper (look more thoroughly) into our system. Should you gain access to any of our systems, you should immediately stop and responsibly disclose the vulnerability.

Response Targets

Enjin has set forth the following response targets upon receiving a report:

• First response within 72 business hours;
• Triage within 7 business days;
• Have a resolution in place within 30 business days; and
• Payout within 14 business days after a resolution has been confirmed.

Whilst these are our baseline response targets, we will do our best to always exceed these targets.

However, in very limited circumstances, we may fail to meet one (or more) of these targets. In the event we fail to meet one of our targets, please be patient with us, as it will almost certainly come down to the complexity of the issue at hand. If no formal resolution has been made within 180 days and with no feedback from the Enjin security team in relation to why that's the case, and as a last resort, then the contents of the report may be publicly disclosed by the finder.

Eligibility

You will qualify for a reward if you are the first person to disclose an issue that is not yet known to us and one that affects an asset that's listed as both in-scope and eligible for bounties. You will qualify for a reward if you adhere to the following:

• You must report a vulnerability within 24 hours of its discovery.
• You must not disclose any details about the vulnerability anywhere else, this includes our support channels.
• You must provide clear steps in order to reproduce the reported vulnerability.
• You must not perform any automated tests / scans against our network.
• You must not perform any attacks that will result in high volumes of traffic (such as Denial of Service attacks.)
• You must avoid any tests that may cause service degradation / interruption.
• You must stop any tests in the event degradation / interruption is identified as a potential result of your tests.
• You must not access; download; leak; manipulate; or destroy any user data.
• You must not save any copies of data acquired through a vulnerability.
• You must only test with accounts that you have created and actively own.
• You must use your [username]@wearehackerone.com email address when testing authenticated routes.
• You must set the header X-H1-Username: [username] when performing tests outside of the browser (eg. via Postman / cURL / etc.)
• Your vulnerability must not fall within our list of Prohibition or Exclusions (as detailed further, below.)

Rewards

If you meet the eligibility criteria, listed above, and have responsibly disclosed a valid vulnerability then you will qualify for a reward.

Monetary Compensation

Enjin rewards researchers that submit eligible reports for qualifying vulnerabilities. In those cases, our minimum reward is US$60 and our maximum reward is US$1,500. The amount rewarded will vary depending on the severity of the vulnerability reported. Payments will be made directly via HackerOne's payout system.

Swag

Swag may be awarded, as a discretionary bonus, for a valid report against an in scope asset. Swag is limited to no more than one per researcher. We will not honour (nor respond to) repeated requests to be awarded swag, this is exclusively awarded at the discretion of the Enjin security team.

Prohibition

The actions of performing any of the following are strictly prohibited:

• Denial of Service (DoS) attacks (including distributed attacks);
• Physical attacks against any of our offices, employees, contractors or data centers;
• Automated tools / scripts / scans that will generate a large volume of traffic;
• Compromising the account of Enjin's users, employees or contractors;
• Contacting our support team (all areas operated by support are strictly off-limits);
• Social engineering our employees or contractors; and
• Downloading / saving copies of our source code, confidential files or database contents.

Exclusions

In addition to the above, the following vulnerabilities will not be considered for bounty and may be closed as Not Applicable:

• Missing security headers (eg. CSP / HSTS / X-Frame-Options / X-Content-Type-Options);
• Missing security DNS records (eg. SPF / DKIM / DMARC / DS);
• Missing cookie flags (eg. HttpOnly / SameSite / Secure);
• Stale DNS records (those pointing to inactive records);
• Software version disclosure (for any application in our stack);
• Cross-domain leakage;
• Information leakage (ie. data cached within searches engines / web archives);
• Information disclosure;
• Outdated TLS versions (eg. supporting TLSv1.0 / TLSv1.1);
• Session timeouts;
• Session hijacking (cookie reuse);
• Click-jacking;
• Tabnabbing;
• Self-XSS and non-impactful XSS;
• Account enumeration;
• Security best practices;
• Email verification (confirming / changing / bypassing / etc.);
• Insufficient session expiration;
• Unlikely user interaction;
• Missing rate limiting;
• Cross-Site Request Forgery (CSRF); and
• WebView and/or WebKit issues.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the assets in scope.

If legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with Enjin's bug bounty policy, Enjin will take steps to make it known that your actions were conducted in compliance with this policy.

Please contact [email protected] before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Legal Terms

By participating in this program, you are agreeing to be bound by everything outlined within this policy and the following additional legal terms:

• You must be at least 13 years old in order to participate in our bug bounty program.
• Payments are made via HackerOne, and you are solely responsible for paying any taxes associated with those rewards.

We reserve the right to alter the terms of this program, or terminate this program entirely, at any time.

Thank You

Finally, we'd like to take this time to thank you for your interest in performing security research against one (or more) assets within our ecosystem. It's researchers, like yourself, that help us to build applications that bring the best possible security to our customers. Therefore, from all of us at Enjin, we'd just like to say: thank you.

Questions?

Should you have any questions, please contact [email protected] for clarification.