Install Launcher

BUG BOUNTY

Rules

Scope

The program covers technical vulnerabilities in web services and mobile/desktop apps listed on the Scope page. For non-security issues, contact MY.GAMES Support.

Duplicate Reports

We award bounties only for new, previously unknown vulnerabilities. A report is considered a duplicate if:

  • A prior report was submitted first
  • Multiple vectors for the same issue are submitted
  • The issue already exists in our internal tracker

Public 0-day or 1-day vulnerabilities known from public sources may also be marked as duplicates.

Eligibility

Participants must be 14 years or older. Those under 18 must have written parental consent. Employees of MY.GAMES, partners, or authors of the vulnerable code cannot participate.

Submission Process

After submitting a report, you will receive an automated confirmation email with a ticket number. If not received within one hour (check spam), the report may not have been delivered. If there is no response within 3 business days, reply to the original confirmation email without changing the subject.

Testing Guidelines

  • Only use your own accounts
  • Never attempt to access other users’ accounts or data
  • Testing occurs in production — act responsibly

Responsible Disclosure

  • Do not share information about the vulnerability for 90 days after submission
  • Avoid posting proof-of-concept code publicly
  • Even after 90 days, do not disclose before a fix is deployed to most users
  • Premature disclosure may disqualify the report

Report Quality

Rewards may be reduced or denied if:

  • The report lacks reproduction steps or essential details
  • The researcher is unresponsive to follow-ups

Disqualification Criteria

We will reject reports if we detect:

  • Physical access to our facilities
  • Using compromised infrastructure for reporting
  • Social engineering attempts
  • Post-exploitation beyond what’s necessary to demonstrate the issue
  • Accessing third-party data or accounts

Service Availability and DoS Restrictions

  • Maintaining the availability of our services is critical. Do not attempt any testing that could degrade or disrupt functionality.
  • Denial-of-Service (DoS) and resource exhaustion attacks — including volumetric, protocol, or application-level attacks — are strictly prohibited.
  • If you identify behavior that could potentially lead to service degradation or outages, report your findings without executing them. Our team will safely verify them in a controlled environment.