Security Bug Bounty
At NetherGames, we take privacy and security very seriously. As such, we encourage everyone to participate in our bug bounty program, which incentivizes researchers and hackers to responsibly find, disclose, and help us resolve security vulnerabilities. As with many bug bounties, NetherGames has a clear and straightforward set of rules that help protect both us and those looking to disclose. Thanks for participating, and happy bug hunting!
NetherGames will not take legal action against users for disclosing vulnerabilities as instructed here.
Vulnerability reports will always be responded to quickly—usually within 24 hours.
Based on each issue's validity, severity, and scope, we'll reward you with store credits (or cold, hard cash if you prefer).
Only use and test on accounts you directly own. Testing should never affect other users.
Testing should be limited to sites, Minecraft servers, and other services that NetherGames directly operates. We will not accept reports for third-party services or providers integrating with NetherGames through our APIs.
Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities not permitted under this bounty include brute forcing, denial of service (DoS), spamming, timing attacks, etc.
Don't use scanners or automated tools to find vulnerabilities.
Information about issues found should be publicly disclosed or shared once we've completed our investigation and resolution. After confirmation, you can document and publish any information about the problems you've found.
When reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug. We generally consider the following issues out of scope (not an exhaustive list):
Attacks requiring MITM or physical access to a user's device
Brute force attacks
Clickjacking
Content spoofing and text injection
CSRF vulnerabilities
Denial of Service attacks
Email SPF, DKIM, and DMARC records
Gift code enumeration
Missing HttpOnly/Secure cookie flags
Open CORS headers
Publicly accessible login panels
Publicly exposed game server IPs
Reports from scanners and automated tools
Reports on the subdomains forums.nethergames.org, status.nethergames.org, and support.nethergames.org
Self-exploitation (like token reuse and console scripting)
Social engineering or phishing attacks targeting users or staff
Select the "Bug Bounty" option at https://ngmc.co/request and fill out the form.
How we approach security issues
NetherGames will not take legal action against users for disclosing vulnerabilities as instructed here.
Vulnerability reports will always be responded to quickly—usually within 24 hours.
Based on each issue's validity, severity, and scope, we'll reward you with store credits (or cold, hard cash if you prefer).
Program rules
Only use and test on accounts you directly own. Testing should never affect other users.
Testing should be limited to sites, Minecraft servers, and other services that NetherGames directly operates. We will not accept reports for third-party services or providers integrating with NetherGames through our APIs.
Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities not permitted under this bounty include brute forcing, denial of service (DoS), spamming, timing attacks, etc.
Don't use scanners or automated tools to find vulnerabilities.
Information about issues found should be publicly disclosed or shared once we've completed our investigation and resolution. After confirmation, you can document and publish any information about the problems you've found.
Out-of-scope vulnerabilities
When reporting vulnerabilities, please consider the attack scenario/exploitability and the security impact of the bug. We generally consider the following issues out of scope (not an exhaustive list):
Attacks requiring MITM or physical access to a user's device
Brute force attacks
Clickjacking
Content spoofing and text injection
CSRF vulnerabilities
Denial of Service attacks
Email SPF, DKIM, and DMARC records
Gift code enumeration
Missing HttpOnly/Secure cookie flags
Open CORS headers
Publicly accessible login panels
Publicly exposed game server IPs
Reports from scanners and automated tools
Reports on the subdomains forums.nethergames.org, status.nethergames.org, and support.nethergames.org
Self-exploitation (like token reuse and console scripting)
Social engineering or phishing attacks targeting users or staff
Found a security vulnerability?
Select the "Bug Bounty" option at https://ngmc.co/request and fill out the form.
Updated on: 23/01/2023
Thank you!