NetherGames is committed to working with the security community to find vulnerabilities and issues in our systems to keep our customers and platforms safe.
We highly treasure our users' trust in us, so we hold ourselves to the highest security standards.

If you have discovered a security vulnerability that affects our systems, we offer a bug bounty program for security researchers, and we would love to work with you and rectify the issue as soon as possible. Issues and vulnerabilities can be reported via email to bounty@nethergames.org.

Scope

Website-related endpoints on any nethergames.org site (excluding forums)
API-related endpoints on apiv2.nethergames.org
Attack Vectors, Duplication glitches in MMO games, and security risks targetting the Minecraft: Bedrock servers.

Bounty

The minimum reward for verified, accepted, and patched vulnerabilities disclosed through the program is US$100. The reward is determined on a case-by-case basis and will depend on the severity of the vulnerability.
Please note that issues that do not impact security are not eligible for a bounty.

Rewards will be paid via international bank transfer or PayPal only. We do not support cryptocurrencies.

Submitting a report does not guarantee a bounty. Only reports that our development team can verify are eligible for a reward.
Eligibility

You are the first person to report the vulnerability
You adhere to the Disclosure Guidelines
You do not access data of other users and user accounts which you have a right to access
You provide a working proof of concept, which includes appropriate code samples
You provide appropriate instructions to reproduce the vulnerability
You do not disclose the vulnerability publicly prior to its resolution
You do not use automated scanning tools
The issue is not related to outdated dependencies
Origin IP exposure is NOT eligible for bug bounties; the exposure of those IPs is required for our bedrock servers and, therefore, unavoidable

Examples

Example report cases include:
Being able to access other users' accounts
Being able to access internal or staff-only systems
Being able to make malicious API calls that bypass authentication
XSS, SQL Injection, or other input-based exploits

Disclosure Guidelines

Reporters should:
Respect the rules. Operate within the rules set forth by NetherGames.
Respect privacy. Make an effort not to access or destroy another user's data.
Be patient. Make an effort to clarify and support their reports upon request.
Do no harm. Act for the common good by promptly reporting all found vulnerabilities. Never willfully exploit others without their permission.


Questions? Contact our support team here or click the chat button in the bottom right corner.
Was this article helpful?
Cancel
Thank you!