Playtika is a leading mobile gaming company with over 34 million monthly active users across a portfolio of games titles.

Playtika Ltd. and all of its affiliate companies (together, “Playtika”) look forward to working in collaboration with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

With that in mind, we invite you to participate in Playtika’s bug bounty program (the “Program”), to assist us in detecting and monitoring security vulnerabilities, and submit to us reports regarding any vulnerabilities that you find (each, a “Report”), according to the terms of this Bug Bounty Program Policy (the “Policy”).

IF YOU DO NOT AGREE TO THIS POLICY OR ANY TERMS AND CONDITIONS REFERRED TO HEREIN, PLEASE DO NOT SEND US ANY REPORTS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

#Specialized testing accounts To facilitate your participation, we offer the option to set up specialized testing accounts in our games. These accounts will grant you access to high-level features, additional testing coins, and other resources to aid in your research. If you're interested in obtaining such an account, please contact us at [email protected] with your account ID and its corresponding login email. Please note that only HackerOne emails addresses (i.e., [email protected]) are applicable.

  

Response Targets

Playtika will use its best efforts to meet the following response targets for Reports sent by security researchers participating in our Program:

We will try to keep you informed about our progress throughout the process.

Program Rules

These requirements apply to security researchers participating in our Program:

• When performing scans on our infrastructure, add the following header to all requests: "X-Bug-Bounty: True"
• Please provide detailed Reports with reproducible steps. If we determine that your Report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Do not use any testing tools or scanners that automatically generate significant volumes of traffic.
• Submit one vulnerability per Report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first Report that was received (provided that it can be fully reproduced), regardless of the first Report’s source (an existing internal Report or a Report via our program).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Any physical attempts against Playtika's property or data centers are prohibited.
• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.All of your testing accounts must be registered to the @wearehackerone.com domain (when not using the social login)
• Follow the Disclosure Policy below.

What we are interested in

• Vulnerabilities that lead to compromise of a player’s data (PII) including device ids (Android device id or Apple UDID).
• Vulnerabilities that impact another player’s experience, e.g., denial-of-service that prevents another player from playing.
• Vulnerabilities that significantly affect other players or allow cheating in a substantial manner (i.e., actions that greatly disrupts the fairness or balance of the game), such as business logic flaws or other forms of significant cheating.
• Vulnerabilities that have a considerable impact on the game economy.

A few words about cheating vulnerabilities in games

Cheating-related vulnerabilities are not the main focus of our bug bounty program, but we are still interested in reports of this type. However, please note such reports are rarely eligible for a high or critical severity reward . The severity of cheating findings is internally assessed using the following criteria:

1. Ease of Exploitation & Abuse Higher severity: Cheat is very easy to perform and share (e.g., simple requests or basic client changes). Lower severity: Exploit is complex, requiring advanced skills or setup (like device rooting or reverse engineering).

2. Impact on Fair Play Higher severity: Cheat gives a clear, repeatable advantage in competitive modes (e.g., PvP, leaderboards). Lower severity: Cheat has only minor or cosmetic effects, or impacts non-competitive modes.

3. ** Number of Affected Players** Higher severity: Exploit affects many users or the overall game economy. Lower severity: Only the attacker or a very limited group is impacted.

4. Detection & Monitoring Higher severity: Cheat is hard to detect or block automatically. Lower severity: Strong monitoring means the cheat is quickly identified and contained (auto-bans, rollbacks).

5. Scalability & Automation Higher severity: Cheat can be automated, farmed, or scaled with bots and resold easily. Lower severity: Exploit is only practical manually and can’t be easily automated.

6. Recoverability Higher severity: Effects are long-lasting or difficult to reverse (e.g., permanent leaderboard changes). Lower severity: Impacts are short-lived or easily rolled back.

POC For Machine Permissions

When attempting to demonstrate machine permissions with the following primitives in a vulnerable process please use the following commands:

• Read Root: cat /proc/1/maps
• Read: cat /proc/self/maps
• Write Root: touch /root/<your H1 username>
• Write: touch /tmp/<your H1 username>>
• Execute: id, hostname

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope of our Program and should not be included in your Report/review:

• Vulnerabilities in 3rd party products and services themselves, as opposed to insecure configuration of those products/services.
• Brute force attacks to get sensitive data and rate limits issues without showing an attack vector
• User enumeration (without PII exposure)
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration, and HSTS
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Insecure storage of data in the mobile applications
• Mobile application crash via tampered deep-links
• Lack of mobile best-practices, e.g., SSL-pinning, obfuscation, root protection and etc. without a working Proof of Concept demonstrating an exploit
• Lack of other security-related headers and best-practices (X-XSS-Protection, X-Content-Type-Options,.) without a working Proof of Concept demonstrating an exploit
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Internal hostnames disclosure / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Configuration files with no sensitive information (e.g. a configuration file with public app keys, routes information and etc.)
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
• Any issue exploited in the mobile app because of an operating system vulnerability
• Tabnabbing
• Mail flooding / any issues related to mail service / support/service tickets
• Header injections without a demonstrable impact
• Open redirect - unless an additional security impact can be demonstrated
• HTML Injections in automated emails
• Issues that require unlikely user interaction
• Any vulnerability that has no practical security impact or is based on unlikely or theoretical attack vectors (e.g. self-XSS)

Out of Scope Assets

The following assets are considered out of the scope of our Program and should not be included in your Report/review:

• *.slotobucks.slotomania.com

  

Legal

Program Eligibility and Compliance

You must be 18 or older to be eligible for an award. This Program is not open to individuals who reside in Lebanon, Cuba, Iran, North Korea, Syria, Crimea, Donetsk, Luhansk, Kherson and Zaporizhzhia regions of Ukraine.

Playtika current or former employees, contractors, consultants and their families are not eligible for rewards.

You must agree and adhere to the Policy and legal terms and conditions as stated in this Policy. Do not violate any laws or regulations, breach any agreements or compromise any data that is not yours, in connection with reviewing, discovering or reporting vulnerabilities.

Third-Party Claims

Any activities conducted in a manner consistent with this Policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this Program in compliance with this Policy and with all applicable laws and regulations, we will take steps to make it known that your actions were conducted in compliance with this Policy.

Disclosure Policy

• You must submit your Report as soon as you discover a potential vulnerability. By submitting the vulnerability, you confirm that you have not disclosed the vulnerability and agree not to disclose it, or your submission, to anyone other than Playtika security team following the process set forth in the Program. Disclosing the vulnerability without Playtika's prior written consent would violate the Program and Policy. It is understood and agreed that monetary damages would not be a sufficient remedy for any breach of this paragraph by you, and that Playtika is entitled to seek any remedy, including injunctive relief, in addition to all other legal or equitable remedies available to Playtika.
• Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Program (“Confidential Information”) must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Report, without Playtika’s prior written consent. You must get such written consent by submitting a disclosure request to Playtika through the HackerOne platform.
• Do not store, share, compromise, or destroy Playtika or customer data. If you encounter personal data, you must immediately cease your activity, purge related data from your system, and immediately contact Playtika. This action safegurds both potentially vulnerable data and yourself.
• Follow HackerOne's disclosure guidelines

No Warranties

PLAYTIKA AND ITS AFFILIATES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, AND MAKE NO GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS SOLELY AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER APPLICABLE LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM.

Limited Liability

IN NO EVENT SHALL PLAYTIKA, ITS DIRECTORS, OFFICERS, AFFILIATES OR AGENTS BE LIABLE FOR ANY COSTS OR DAMAGES WHATSOEVER, INCLUDING BUT NOT LIMITED TO DIRECT, CONSEQUENTIAL, INDIRECT, SPECIAL OR PUNITIVE COSTS OR DAMAGES, ARISING OUT OF OR RELATING TO THE PROGRAM OR THE ARRANGEMENTS CONTEMPLATED HEREIN.

Changes to Program Terms

The Program, this Policy and any other terms and conditions applicable thereto constitute the entire agreement and understanding of the parties with respect to the items listed herein, and such Program, Policy and terms may be modified, suspended, cancelled or terminated by Playtika at its sole discretion at any time, without notice. As such, Playtika may amend this Policy or any other terms or policies applicable to the Program at any time by posting a revised version on our Program page. By continuing to participate in the Program after Playtika posts any such changes, you accept this Policy, as modified.

If any term of the Program is found to be illegal or unenforceable, then the parties shall be relieved of their responsibilities arising under such term, but only to the extent that such term is illegal or unenforceable.

Report License

By submitting a Report in the Program, you agree to all Program Terms and Conditions, and you give us the right to use your Report for any purpose and you:

• Grant Playtika the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sublicensable license to the intellectual property in your Report: (i) to use, review, assess, test, and otherwise analyze your Report; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Report and all its content, in whole or in part; and (iii) to feature your Report and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screenshots of the Report in press releases) in all media (now known or later developed);
• Agree to assist us in enforcing the rights granted above and sign any documentation that may be required for us or our designees to confirm the rights granted above;
• Understand and acknowledge that Playtika may have developed or commissioned materials similar or identical to your Report, and you waive any claims you may have resulting from any similarities to your Report;
• Understand that you are not guaranteed any payment or compensation for use of your Report; and
• Represent and warrant that your Report is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Report to Playtika.

Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive recognition at the sole discretion of Playtika. Eligibility for rewards, including the determination of the recipients and reward amount is left up to the sole discretion of Playtika.

In addition to the terms above, you will be subject to, and you represent that you will comply with, all relevant terms and customer obligations in Playtika’s Terms of Use

Tax

You are responsible for paying any taxes associated with rewards you may recieve in connection with the Program. HackerOne handles all bounty payments through the HackerOne platform. Please refer to HackerOne’s relevant policies here.

  

Thank you for helping keep Playtika and our users safe!