Scopely Bug Bounty Program

Welcome to Scopely's Bug Bounty Program! This program encourages and rewards contributions by security researchers who help make Scopely's mobile games and communities more secure. To recognise your efforts and the important role you play, we offer bounties for reporting valid security vulnerabilities to us.

Program Rules

Reporting Checklist

Do be aware that the quality of your report is critical to your submission. To ensure your report is triaged and awarded as quickly as possible, please ensure reports are detailed and clear. Please include:

• The IP you are using for the testing
• Your game user ID
• All your traffic must contain the following header that will allow us to identify you: X-Security-Testing: @hackerone_handler.
• Reproducible steps: Include detailed steps and any links you clicked on, pages you visited, URLs, user IDs, etc. If this contains more than a few steps, please create a video so we can attempt to perform the same steps
• Impact
• Use cases: Define the real-world scenarios where an attacker would be able to exploit this vulnerability
• Fix suggestions where possible

Eligibility & Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask:

• If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our user's’ privacy.
• Act in good faith not to degrade the performance of our services (including denial of service).

We are grateful to everyone who submits valid reports to help us improve the security of Scopely games, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of the vulnerability
• The vulnerability must be associated with an in-scope game or service
• The report must adhere to the Reporting Checklist above
• Follow HackerOne’s Disclosure Guidelines

#Our Games

|Game Tier 1 || |--- | --- | --- | --- | |{F2622775}| Monopoly GO|

|Game Tier 2 || |--- | --- | --- | --- | |{F2880698}|Star Trek Fleet Command| |{F1700748}| MARVEL Strike Force: Squad RPG |

|Game Tier 3 || |--- | --- | --- | --- | | {F578740} | Scrabble® GO-Classic Word Game | |{F526846} | YAHTZEE® With Buddies Dice Game | |{F526847} | Dice With Buddies™ - The Fun Social Dice Game | |{F3503721}| Grand Casino: Slots & Bingo | |{F3503722}| GSN Casino: Slot Machine Games | |{F3503709}| Tiki Solitaire TriPeaks | |{F3503723}| Bingo Bash: Live Bingo Games | |{F526865}| ** WWE Champions**|

|No reward || |--- | --- | --- | --- | |{F1590342}| Looney Tunes™ World of Mayhem | |{F2976747}| StumbleGuys| |{F526845}| ** Wheel of Fortune**

Some of our games share a common framework, please only create one report if the same issue appears in several games as this would be considered one issue in the framework.

Rewards

Each bug is awarded a bounty based on its severity and creativity. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

We categorize security bugs in our service into impact categories:

Scopely will determine whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction.

Any vulnerability that affects the economy of a game or gives a player an unfair advantage over other players (cheating) is likely to qualify for the program. Vulnerabilities affecting the security of the company resources other than the live games service may qualify under the additional services category.

Impacts the global game economy

• Obtaining an In-App Purchase-backed item or currency illegally / outside of the intended design (usually an unlimited amount)
• Modifying another user's data (currencies, inventories, progress, etc)
• Giving or crediting illegal currencies to another user

Impacts tournaments or leaderboards

• Unfairly affecting leaderboard position (Please do not place #1 - #10 if an issue is identified).
• Unfairly affecting tournaments and outcomes

Impacts individual's economy

• Obtaining currencies for your user illegally (usually a limited amount)

Impacts the group, club, or faction

• Unfairly affecting the success of a group, club, or faction

Impacts player privacy

• Obtaining personally identifiable information of one or more players outside of the intended design of the game.

Impacts player vs. player

• Game rigging / forcing a win

Impacts individual

• Obtaining personal game items illegally / outside of the intended design (experience, health, points, rank, rewards, other inventory systems)
• Unfairly affecting the game progression system in a way that violates the designed progression track (achievements, badges, character stats, leveling up, move upgrades, etc)
• Unfairly affecting time-based drops, rewards, or benefits

Impacts the security of the game service

• Any security bug that can materially impact the availability and integrity of our live games service (see exclusions)

Impacts the security of additional services

• Any security bug that can materially impact the availability, integrity and confidentiality of additional company services such as development resources, people management or data analytics (see exclusions)

No-Fix & Backlog Handling Policy

• If upon review of a report we do not find the vulnerability high enough impact or probability, we may choose not to fix. Reports deemed No-Fix by the team will not be eligible for a bounty and will be closed.
• If upon review of a report the team decides to postpone a fix by adding the issue to their backlog, we may pay the bounty and close the issue in HackerOne so that it does not get stuck in Open/Triage for long periods of time. Duplicate reports will be linked to the closed HackerOne issue previously reported. Once the backlog issue is fixed, we will follow up on the closed report notifying of the resolution.

Out of scope

• "Scanner output" or scanner-generated reports
• "Advisory", "Informational" or based on "Best Practices" reports
• Server misconfigurations without a proof of concept of how they can lead to a real vulnerability
• Vulnerabilities in 3rd-party software such as frameworks, plugins or libraries (Wordpress, Jira, Discourse, Okta, Unity, ...)
• HTTP headers hardening and recommendations (Clickjacking, X-Frame-Options, CORS, ...)
• Subdomain takeovers will be marked as informative as they are already being tracked internally with tools to prevent this from happening and clearing out the dangling DNS entries
• Any type of Denial of service (DOS) attacks
• Social engineering of Scopely staff or contractors
• Any physical attempts against Scopely property
• Rate limiting testing or brute force attacks against any asset
• Reports on other Scopely-owned assets that are not explicitly marked in scope in the list below, such as games, websites, domains, applications or endpoints. Are currently ineligible for monetary rewards. As they come into scope, they will be added to the in scope section below.