GUIDELINES

You must pay attention to the following points when taking part in our Vulnerability Disclosure Program.

Legal representatives and current or former employees of the Gameforge AG company group and associated companies, their spouses and relatives, are excluded from bounties. Minors may only participate with the consent of their parents or legal guardians.

Please also note the following:

  • Whilst performing the security check, you have taken all necessary precautions not to interrupt or restrict the tested service’s availability.
  • You have not extracted or transmitted third-party data.
  • You have not informed third parties about the vulnerability.

    • See also: Rules for You

Report Bug

Please complete all fields in the following form. Only then will we be able to process your report quickly.

Please enter the product affected by the vulnerability you discovered
Please enter a valid email address
Please select
  • Other
  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable and Outdated Components
  • Identification and Authentication Failures
  • Software and Data Integrity Failures
  • Cross-Site Scripting (XSS)
  • Client- and Server-Side Request Forgery (CSRF/SSRF)
Please select a vulnerability
Please describe the vulnerability
How do I best describe the vulnerability?
Please provide a detailed description of the vulnerability. Include details of how to exploit it (e.g. proof of concept), and the browser or settings required to reproduce it.

Thanks for reporting the vulnerability!

We’ll ensure that the bugs you report wind up in quarantine as quickly as possible!


  • We’ll deal with your report quickly.
  • We’ll keep you in the loop.
  • As long as you play by the following rules, you will not face legal action for using hacks.

Join the great bug hunt!

We want to give players around the world the chance to report security vulnerabilities in our applications.

No technology is perfect, and Gameforge believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Interested? You can find all important details in the FAQ and rules.

Participate in the Vulnerability Disclosure Program

Requirements

You must adhere to the following when taking part in our Vulnerability Disclosure Program:

Legal representatives and current or former employees of the Gameforge group and associated companies, their spouses and relatives, are excluded from potential bounties.

Minors may only participate with the consent of their parents or legal guardians.

Rules for Gameforge

We’ll ensure that the bugs you report wind up in quarantine as quickly as possible!

  • We’ll deal with your report quickly.
  • We’ll keep you in the loop.
  • As long as you play by the following rules, you will not face legal action for using hacks.

Rules for You

Please abide by the following rules to ensure nobody is adversely affected and everything is legally above board:

  • You are not permitted to attack, exploit, alter or otherwise compromise the accounts of third parties (players, employees etc.). Where possible, you should only use your own accounts for the purpose of testing vulnerabilities.
  • DDoS, spam or other attacks on our infrastructure – including social engineering and phishing – are not permitted.
  • Potential vulnerabilities may not be exploited to your own personal advantage or the disadvantage of third parties.
  • Potential vulnerabilities should be communicated solely with Gameforge and may not be published or given to third parties before we have fixed them.
  • The use of scanner tools and automated tests is prohibited.
  • Social engineering (including phishing) of Gameforge staff or game teams are not allowed.
  • Only the websites listed below (those managed and developed by Gameforge) may be tested for vulnerabilities.
What can be reported?

Vulnerabilities that don’t need to be reported

To make sure we can concentrate on the most important vulnerabilities, we ask you not to report the following cases:

  • Vulnerabilities based on obsolete browsers or plug-ins
  • Vulnerabilities which require extremely unlikely user behaviour (e.g. manually copying and pasting, or deliberately deactivating security features)
  • Insecure cookie settings for cookies containing non-confidential data
  • Disclosure of information which presents no risks or is publicly accessible
  • Vulnerabilities which have already been reported and are known to us
  • Vulnerabilities in third-party software used by Gameforge
  • Vulnerabilities/bugs not listed as Gameforge applications in the bounties list

Where can I hunt for bugs?

We’ve provided you with a list of the most important applications, to ensure you don’t waste time on trivial searches.

Gameforge develops and hosts a number of difference web applications and games, as well as offering games developed by third parties and making use of third-party applications.

Vulnerabilities in software which is not developed by us are excluded from the Vulnerability Disclosure Program. Nevertheless, we’re grateful for every bug report we receive and will gladly forward your reports to the respective developers in your name – if you so wish.

To avoid any misunderstandings, you can find a list of all domains which are part of the Vulnerability Disclosure Program in the FAQ. View list

Any more questions?

FAQ

This FAQ contains answers to the most commonly asked questions. If you have a question that is not answered here, you can contact us at any time at vdp@gameforge.com.

Which domains are part of the Vulnerability Disclosure Program?

You can go bug hunting on the following domains:

  • *.gameforge.com
  • *.gameforge.de
  • *.gfsrv.net
  • Our games

Have you found a bug in a Gameforge application somewhere beyond these domains? We’re grateful for every bug report we receive and will gladly forward your reports to the respective developers in your name – if you so wish.

SHOW ALL

Out-of-Scope Vulnerabilities

In addition to the topics covered by Vulnerabilities that don’t need to be reported above, the following vulnerabilities are also not in the scope of our Vulnerability Disclosure Program:


  • Attacks requiring physical access to a user's device
  • Self-XSS (we require evidence on how the XSS can be used to attack another Gameforge user)
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
  • Login/Logout CSRF
  • Our policies on presence/absence-content of SPF and DMARC records
  • Host header injections unless you can show how they can lead to stealing user data
  • Missing security headers which do not lead directly to a vulnerability
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Reports from automated tools or scans
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope
  • Absence of rate limiting, unless related to authentication
SHOW ALL

What do I need to know?

You must adhere to the following when taking part in our Vulnerability Disclosure program:

Legal representatives and current or former employees of the Gameforge AG company group and associated companies, their spouses and relatives, are excluded from bounties. Minors may only participate with the consent of their parents or legal guardians.


  • Gameforge should have sufficient time to react and fix the problem.
  • Whilst performing the security check, you have taken all necessary precautions not to interrupt or restrict the tested service’s availability.
  • You have not extracted or transmitted third-party data.
  • You have not informed third parties about the vulnerability.

See also: Rules for You

SHOW ALL

Report Bug

Found a bug?

Then report it to us and we’ll deal with the rest!