Bug Bounty Program
Our rewards are based on the severity per CVSS.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Remake.gg OÜ.
* Please report vulnerabilities through our priority support.
Remake.gg is an online wagering platform for the most popular Esport titles. It is nearly entirely built on crypto and blockchain, enabling millions of gamers across the globe to have an easy and safe way to place bets against each other. Remake.gg does not offer titles that are categorized under "games of chance" and would require a gambling license under the gambling act.
- You are welcome to test our products with your own funds but please note that Remake.gg is not responsible for any losses.
- Our evaluation of all reported vulnerabilities is final.
Remake.gg will make a best effort to meet the following response targets for hackers participating in our program:
- Time to first response (from report submit) - 1 business days
- Time to triage (from report submit) - 3 business days
- Time to bounty (from triage) - 7 business days
- Time to resolution - depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process. If crypto currency is not banned in your region, and you agree - we will pay the bounty with crypto currency to your wallet.
Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Remake.gg.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
- Rate limit (maximum amount of requests per minute) used in automation: max 10 requests per minute.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
- Open redirect at Remake.gg unless you devise a way to bypass the warning screen
- Support for HTTP methods such as POST or OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing flags like HttpOnly or Secure on cookies
- Missing best practices in Content Security Policy or best practice security headers
- Presence of autocomplete attribute on web forms
- Tabnabbing or Reverse tabnabbing
- Blind SSRF without proven business impact (DNS pingback only is not sufficient)
- Open redirect - unless an additional security impact can be demonstrated
- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Phishing websites and malware lookalike applications (please report to [email protected] without attachment)
- Physical security of our offices, employees, etc.
- Non-security-impacting UI/UX issues (i. e., client-side server checks)
Any activities conducted in a manner consistent with the law and our bounty policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Remake.gg and our users safe!
© 2023 Copyright Remake.gg - Remake.gg is a registered trademark.
Remake.gg OÜ is registered under no. 16357307 in Estonia. Remake.gg is a competitive gaming platform for Counterstrike 2 and Dota 2. Remake.gg may not be available in countries that consider competitive gaming with winnings as gambling.
Made with in Estonia