At PlayerAuctions, the security of our platform and the protection of our users' data is our top priority. With this in mind, we welcome the efforts of the global security research community to make this goal a reality. If you believe you’ve found a security vulnerability on our platform, feel free to report it to us.
This policy explains our reporting rules, what you can expect from us, and how we reward beneficial contributions.
Safe Harbor
We consider security research and vulnerability disclosure activities conducted under this policy to be authorized and in good faith. We will not take legal action against researchers for breaking into or attempting to break into our systems so long as they adhere to the rules outlined in this policy.
How to Report a Vulnerability
To ensure that your report is received and processed as soon as possible, please submit all your findings exclusively to our official security channel: infosec@playerauctions.com
To assist us in smoothly validating your report, please include the following details:
• Vulnerability Type: A clear description (e.g., Cross-Site Scripting, IDOR, SQLi).
• Affected URL/Endpoint: The precise location of the vulnerability.
• Detailed Steps to Reproduce: A clear, step-by-step guide.
• Proof of Concept (PoC): Screenshots, code snippets, or a video demonstrating the impact.
• Potential Impact: A brief explanation of what an attacker could achieve.
Program Rules & Scope
In-Scope Assets:
*.playerauctions.com
Out-of-Scope Assets:
• Any third-party services that PlayerAuctions uses (e.g., Zendesk, social media platforms).
• Our corporate blog, marketing sites, or any non-production environments.
• Any assets not otherwise listed as In-Scope.
Prohibited Actions:
• Denial of Service (DoS or DDoS) attacks.
• Spamming, social engineering, or phishing of our staff or users.
• Accessing, modifying, or exfiltrating any information other than your own.
Rewards and Vulnerability Rating
We are committed to rewarding the high-quality work of security researchers. Our rewards are based on the severity, business impact, and exploitation context of a vulnerability.
The final reward amount is determined by the PlayerAuctions Information Security team following a comprehensive assessment of the vulnerability's severity (CVSS), business impact, and exploitation context.
| Severity | Bounty Range (USD) |
| Critical | $500+ |
| High | $200 - $500 |
| Medium | $100 - $200 |
| Low | Up to $100 |
Out-of-Scope Vulnerabilities (Ineligible for Reward)
The following types of findings are generally not eligible for a bounty:
• Reports from automated scanners without a demonstrated, practical attack vector.
• Missing security headers (e.g., CSP, HSTS) or "best practice" configurations without proof of an exploitable vulnerability.
• Software version disclosure.
• SPF, DKIM, DMARC record issues.
• Self-XSS (requiring a user to paste code into their own browser).
• Login/logout CSRF.
• Rate limiting issues (unless they lead to a critical vulnerability).
• Clickjacking on pages with no sensitive actions.
• Configuration or architectural limitations of third-party SaaS services (e.g., Zendesk), including rate limiting issues or email triggering, that do not result in sensitive data exposure.
Our Process & What to Expect
1. Acknowledgement: We’ll do our best to acknowledge receipt of your report within two business days.
2. Triage & Validation: Our team will validate your findings. We’ll notify you if it’s a duplicate or qualifies for a reward.
3. Remediation: Our development team will work to fix the vulnerability according to our internal SLAs.
4. Reward: Once the vulnerability is fixed and validated, we’ll process the bounty payment.