We are dedicated to our users ' privacy and security, as well as the environment we create for them. We believe it is paramount to achieve this goal to have a talented group of independent security researchers. We run this Report a Bug program to recognize prospective vulnerabilities by researchers. Please check the following guidelines for the laws of this report a bug.
While our expert team is making every effort to mitigate all the bugs in our systems, Mister Rummy is inviting independent security groups and players to study it across all platforms and helping us make it even safer for our players. If you find a bug, we appreciate your collaboration in researching it responsibly and reporting it to us so we can tackle it as quickly as possible.
We give reward and recognition for bugs / vulnerabilities linked to security.
Please report them to:firstname.lastname@example.org for any issues related to fraud.
Guidelines & Rules
Participating in MisterRummy Report-a-bug program requires you to follow our guidelines. Responsible investigation and reporting include, but not limited to the following:
- Do not infringe other users ' privacy, ruin information, interfere with our facilities, etc
- Do not hourly request updates.
- Only target your own accounts as any bugs / findings are investigated. Do not aim, try to access, or otherwise interfere with other users ' accounts.
- Do not target or try to use social engineering, spam, distributed service denial (DDOS) attacks, etc.
- You should not continue further if you discover a serious vulnerability that enables system access.
- It is the decision of MisterRummy to determine when and how to address and fix bugs.
- It is prohibited to disclose bugs to a party other than MisterRummy all bug reports shall remain at the reporter's discretion and at the discretion of MisterRummy.
- Threats of any kind disqualify you automatically from taking part in the programme.
- The report will be disqualified automatically if the vulnerability is exploited or misused for its own benefit or for other benefits.
- Communications with the MisterRummy Security Team regarding bug disclosure shall remain confidential. Researchers are required to destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the report of the bug is closed.
In particular, kindly explore and report bugs so as not to be disruptive or detrimental to us or our customers, making a sensible, good faith effort. Otherwise, rather than being useful, your actions could be viewed as an assault.
||Up to: 500
||Up to: 200
||Up to: 100
||Starting at: 20
Any vulnerabilities presented would be invalidated by following characteristics:
- attacks involving physical access to a user's computer,
- Results from automated instruments without manual confirmation.
- Bugs affecting third party websites that use social club data
- SSL/TLS configuration issues, such as: Perfect Forward Secrecy not supported, TLSv1.0 / 1.1
- Lack of HTTPOnly or secure flag on non-session cookies
- Autocomplete enabled
- Banner disclosures
- Session timeout
- Window.opener issues
- Nickname/gamertag enumeration
- Cross-Script Includes (Unless a particularly creative or damaging exploit can be found as a result)
- Text / content injection
- Email spoofing directly or as it ties to any of our contact forms
- Insecure crossdomain.xml policy on rockstargames.com
- Ability to add hyperlinks to player feed, friend requests, etc.
- Password re-use attacks, in general
- Generic error messages
- Control-character injection (unless you can do something impactful against users other than yourself)
- Attacks that only work against yourself (e.g. host header injection, self-XSS)
- Web security problems (e.g. cross-site scripting and SQL injection problems)
- Game exploits (e.g. insta-win bugs or third party game modifications)
- Other security concerns (e.g. infrastructure security problems, information disclosure issues, memory corruption)
- How could a malicious user potentially benefit from this issue?
- Server Side Request Forgery (SSRF)
- Privilege Escalations
- File inclusions (Local & Remote)
- Leakage of sensitive data
- Directory Traversal
- Administration portals without authentication mechanism
- Open redirects which allow stealing tokens/secrets