SECURITY

Bug bounty

We pay up to 250 USDT for valid security reports. Find a real bug, get paid to your nominated bank account within 14 days of triage. Submit below, or email [email protected] if your finding is too sensitive for a web form.

Payout schedule

SEVERITY
BAND
EXAMPLES
critical
175 — 250+ USDT
Authentication bypass, balance manipulation, RCE on API/game-server, mass account takeover, ability to drain treasury.
high
75 — 175 USDT
Account takeover with user interaction, escalation of privilege, leaking another user’s balance or PII at scale, broken settle accounting.
medium
25 — 75 USDT
Stored XSS, CSRF on a money endpoint, broken rate limiting on auth, broken access control on non-financial admin endpoints.
low
12 — 25 USDT
Reflected XSS without exploitable impact, minor info disclosure, missing security header with no exploit path.

Bands are guidance, not contract. Exceptional findings (chained criticals, novel attack classes) can exceed 250 USDT at our discretion. Final award is set after triage.

In scope

  • rivalskills.com and all subdomains (api., ws.)
  • The 6 game engines (Maze, Candy, Blocks, Snake, Coins, Bubble) — fairness, settle accounting, provably-fair seeds
  • Auth flows: signup, login, 2FA, password reset, email change, session management
  • Money flows: crypto deposits, withdrawals, balance ledger
  • KYC document handling

Out of scope

  • DoS / volumetric attacks (rate limits exist; please do not test them at scale)
  • Social engineering of operators, KYC reviewers, or support
  • Physical attacks against any hosting infrastructure
  • Brute-force or credential stuffing without a novel bypass
  • Self-XSS, clickjacking on pages with no sensitive action
  • Missing CSP / security headers that have no demonstrable exploit
  • Findings on third-party services we depend on (Cryptomus, Xsolla, Fly, Cloudflare) — report to them

Ground rules

  1. Do not exfiltrate data. Demonstrate access with a single record (e.g. your own user id); don’t download other users’ balances or KYC documents.
  2. Do not test against live user funds. If a finding requires money to demonstrate, use your own deposits and we’ll credit them back.
  3. Submit before disclosure. We aim to triage within 72 hours and resolve within 30 days. Public disclosure before then voids the payout.
  4. One report per finding. Duplicates of an open report don’t pay; we credit the first reporter.
  5. Tax is your responsibility. Bounties are paid in USDT; declare them under your local tax law.

Submit a report

Rate-limited: 3 reports per hour per IP.
Sensitive finding? Contact us directly — PGP key available on request.