Join the great bug hunt!

We want to give players and security researchers around the world the opportunity to report security vulnerabilities with real-world impact in our applications.

No technology is perfect. Gameforge believes that working with skilled security researchers across the globe is essential to identifying and mitigating meaningful security risks. If you believe you've found a security issue in one of our products or services, we encourage you to notify us.

Interested? You can find all important details in the Scope and Rules.

Participate in the Vulnerability Disclosure Program

Focus

We highly value well-documented reports that clearly demonstrate business, user, or security impact, ideally supported by a proof of concept (PoC).

Reports that focus solely on missing best practices, theoretical weaknesses, or hardening opportunities without a demonstrable impact are generally treated as informational.

Our Commitment
(Rules for Gameforge)

  • We will ensure that reported vulnerabilities are triaged and handled as quickly as possible.
  • We will review your report promptly and provide feedback where appropriate.
  • We will keep you informed about the status of your report.
  • As long as you follow the rules below, you will not face legal action for responsible testing and disclosure.

Your Responsibilities (Rules for You)

Please follow these rules to ensure responsible disclosure and to avoid negative impact on our players, employees, or infrastructure:

  • You must not attack, exploit, alter, or otherwise compromise the accounts of third parties (players, employees, etc.). Where possible, only use your own accounts for testing.
  • DDoS, spam, or other disruptive attacks on our infrastructure are strictly prohibited, including social engineering and phishing.
  • Vulnerabilities must not be exploited for personal gain or to the detriment of third parties.
  • Vulnerabilities must be reported exclusively to Gameforge directly or via Bugcrowd and must not be disclosed publicly or to third parties before we have fixed them.
  • The use of automated scanners or large-scale automated testing tools is not permitted.
  • Social engineering of Gameforge staff or game teams is not allowed.
  • Only the websites and services explicitly listed as part of the program may be tested.
What can be reported?

Vulnerabilities That Do Not Need to Be Reported

To help us focus on issues with actual security or business impact, please do not report the following:

  • Issues that only affect obsolete or unsupported browsers or plug-ins
  • Vulnerabilities that require extremely unlikely or unrealistic user behavior (e.g. manual copy & paste, deliberate deactivation of security features)
  • Insecure cookie settings for cookies that do not contain confidential or sensitive data
  • Disclosure of information that presents no meaningful risk or is already publicly accessible
  • Vulnerabilities in third-party software or services used by Gameforge
  • Vulnerabilities in applications or domains not listed as part of the Gameforge Vulnerability Disclosure Program
  • Missing security best practices, hardening suggestions, or configuration recommendations without a demonstrated exploit path or impact (these may be treated as informational)

Scope – Where Can I Hunt for Bugs?

Gameforge develops and operates a variety of web applications and games, and also publishes games developed by third parties while using third-party services.

Only vulnerabilities in software and services developed and managed by Gameforge are eligible for this program. Vulnerabilities in third-party software are excluded.

To avoid misunderstandings, please consult the Scope for the full and up-to-date list of domains and applications that are in scope for the Vulnerability Disclosure Program.

Any more questions?

Scope

Which domains are part of the Vulnerability Disclosure Program?

We use Bugcrowd for managing vulnerability reports, the scope is defined there in more detail. In a nutshell, you can go bug hunting on the following domains:

  • *.gameforge.com
  • *.gameforge.de
  • *.gfsrv.net
  • Our games
SHOW ALL

Out-of-Scope Vulnerabilities

In addition to the topics covered by "Vulnerabilities that don’t need to be reported" above, the following vulnerabilities are also not in the scope of our Vulnerability Disclosure Program:


  • Attacks requiring physical access to a user's device
  • Self-XSS (we require evidence on how the XSS can be used to attack another Gameforge user)
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
  • Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)
  • Login/Logout CSRF
  • Our policies on presence/absence-content of SPF, DKIM, MTA-STS, and DMARC records
  • Host header injections unless you can show how they can lead to stealing user data
  • Absence of rate limiting, unless related to authentication
  • Missing security headers which do not lead directly to a vulnerability
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Reports from automated tools or scans
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • Any report about DLL hijacking without demonstrating how it gains new privileges is also out of scope
SHOW ALL

TL;DR – What We're Looking For

High priority: Vulnerabilities with clear security or business impact, ideally supported by a working proof of concept (PoC)
(e.g. account takeover, data exposure, privilege escalation, financial impact, bypass of security controls)


Lower priority / Informational:

  • Missing best practices or hardening recommendations
  • Theoretical issues without a realistic attack scenario
  • Configuration findings without demonstrable impact

Out of scope:

  • Issues in third-party software
  • Reports affecting only obsolete browsers or unrealistic user behavior
  • Automated scanner findings without manual validation
  • Publicly available or non-sensitive information disclosures

If you're unsure whether an issue is impactful, show us. A short PoC or attack scenario that demonstrates real-world impact significantly increases the likelihood of acceptance and reward.

SHOW ALL

What do I need to know?

You must adhere to the following when taking part in our Vulnerability Disclosure programme:

Legal representatives and current or former employees of the Gameforge AG company group and associated companies, their spouses and relatives, are excluded from participation. Minors may only participate with the consent of their parents or legal guardians.


  • Gameforge should have sufficient time to react and fix the problem.
  • Whilst performing the security check, you have taken all necessary precautions not to interrupt or restrict the tested service’s availability.
  • You have not extracted or transmitted third-party data.
  • You have not informed third parties about the vulnerability.

See also: Rules for You

SHOW ALL

Report Security Issues

Found a vulnerability? Report it to us and help make our services more secure!