Skip to content
This repository was archived by the owner on Jul 2, 2023. It is now read-only.

Security: SubsurfaceStudios/CompensationAPI

Security

SECURITY.md

Security Policy

Supported Versions

Please only report security vulnerabilities found in the most recent version of the API! Other than that, almost everything security or authentication related is free game.

When testing anything with even a chance to be destructive, PLEASE clone or fork the repo and test it locally! If you need help with this, reach out to bubby932#2316 on Discord and I'll be more than happy to provide dummy or falsified data! If you do cause damages while destructively testing, you may be subject to punishment or account suspension, and you might not recieve any bounty rewards.

Reporting a Vulnerability

When reporting a vulnerability, please directly contact a member of the Subsurface Studios API team, preferably Rose932#1454. Make sure to include the following, in as much detail as possible:

  • The main issue. (i.e "Player accounts can be acccessed without a token or login.")
  • Some information on what you think causes the issue (i.e "Player authentication can be bypassed by including this escape sequence at the beginning of a fake token")
  • Reproduction instructions (i.e "Simply send an authenticated request to /api/accounts/private with the token Bearer 3947593687857847-32f")
  • How often / how reliably the issue occurs.

Optional information you can include (and you're encouraged to!):

  • Contact information where we can update you on the situation or request more information.
  • Your in-game username or UUID. This lets us give you the rewards / bounty associated with safely reporting a vulnerability.
  • Photos / Videos / Request Logs of how you discovered / tested the vulnerability.
  • Your Discord username with discriminator (username#1234) so we can give you bounty rewards.

Rewards for safely disclosing vulnerabilities:

  • The Bug Bounty shirt in-game, which is only available to those who report vulnerabilities OR an item of your choice from the in-game item catalog (with exceptions) OR a tag of your choice in-game (This does not include any tag which grants in-game permissions such as Moderator, Staff, or Developer) OR a lump sum of in-game currency. We cannot currently provide Real Life compensation for vulnerabilities.
  • The "Bug Bounty Recipient" tag in-game. (This may grant special permissions or access later.)
  • The "Bug Bounty Recipient" role on the Compensation VR Discord.

There aren’t any published security advisories