Responsible Disclosure and Bug Bounty

Get rewarded for helping Tebex make gaming more secure

Submit Disclosure
Hall Of Fame
Report bugs

Report bugs

Tebex invites the responsible disclosure of any vulnerabilites or bugs that risk making our customer experience less secure.

Receive rewards

Receive rewards

For the first disclosure of each in-scope bug, we will reward the researcher in line with the VRT of the bug reported.

Safe harbor

Safe harbor

Research done and disclosures made in good faith and in line with this policy will come under Safe Harbor provisions.

Tebex Bug Bounty and Responsible Disclosure Programme - Terms and Conditions

Introduction

Tebex believes that a healthy and trusting relationship with security researchers around the world is the best way to make customers more secure. We invite security researchers to help us in discovering vulnerabilities missed during the software development process, helping to protect millions of gamers, server owners and content creators globally.

If you are a security researcher who has found a vulnerability or security bug in a Tebex product, we want to hear from you. The first report of any vulnerability of an in-scope product as defined below may receive a bounty reward. Even if a vulnerability is out of scope, or has otherwise already been reported, we will publicly acknowledge your contributions when we fix the vulnerability.

Ground Rules

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:

  • Play by the rules. This includes following this policy any other relevant agreements;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the Official Channels to discuss vulnerability information with us;
  • Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities that are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

Scope

Our application is split into three sections: Tier 1 properties, Tier 2 properties and out-of-scope properties. Within all properties, only security vulnerabilities, where a bug can be used to gain access to accounts, data, perform denial-of-service attacks or similar, will be considered in-scope:

Tier Target Description/Notes
1 checkout.tebex.io

SaaS payment aggregation platform. Payments functionality:
- Data Collection
- Payment method selection

NB: Payment detail collection is generally considered out of scope, as we rely on third parties to do this collection.

A valid basket must have been created via one of the example webstores below.

1 wallet.tebex.io

Balance holding platform for mechants selling via checkout.tebex.io

Authentication via OAuth2, wallet management, payout method creation - in order to login via OAuth2, a valid account on server.tebex.io must be used.

NB: The gathering of payout method details and identity verification is generally considered out of scope, as these are performed via a third party platform.

2 steambugs.tebex.io

SaaS eCommerce platform using Steam username verification

Webstores do not directly handle payments - this is done via checkout.tebex.io. Player identification is performed via Steam, but this doesn't grant any additional access to purchase history, saved payments etc.

NB: A valid Steam account is required to identify as a player

2 fivembugs.tebex.io

SaaS eCommerce platform using CFX.re username verification

Webstores do not directly handle payments - this is done via checkout.tebex.io. Player identification is performed via CFX.re, but this doesn't grant any additional access to purchase history, saved payments etc.

NB: A valid CFX.re account is required to identify as a player

2 plugin.tebex.io

API platform for fetching payment and command state based on purchases

Documentation available at: https://docs.tebex.io/plugin/

NB: In order to authenticate against the plugin, a valid secret key, obtained from server.tebex.io must be used

2 server.tebex.io

Account/platform management for customers

If your vulnerability requires a particular plan, please contact our support team for a limited-duration upgrade.

For the avoidance of doubt, all other domains or *.tebex.io subdomains are out of scope, with the following exceptions:

  • One of the in scope domains above has a vulnerability caused directly by it’s interaction with another *.tebex.io subdomain (e.g. by user redirect during authentication or because of an API call made by an in scope domain to an out of scope domain).
  • Where reproduction of a webstore vulnerability is only possible using a certain combination of settings, then a researcher can submit a vulnerability on a webstore associated with a pre-confirmed email address. In this instance, vulnerabilities that are caused by using a custom template that only impact that specific webstore (rather than, for example, making it possible to exfiltrate data belonging to another account) are still considered out of scope.

Bug Classifications

We use the Bugcrowd VRT to classify and rate all bugs: https://bugcrowd.com/vulnerability-rating-taxonomy, with the below specified variances. In all cases, our classification of a particular bug is considered final, but we will, where possible explain why our classification is different to the one proposed by a researcher if appropriate.

VRT Variances

Due to the specific nature of our application, the following variancees to the default VRT will apply:

  • For
    Broken Authentication and Session Management
    , these will only be deemed P1 if the bypass grants access to one of:
    • wallet.tebex.io
    • server.tebex.io
    • plugin.tebex.io (accessing API data belonging to an alternative user)
    • A Tebex-specific admin panel (please contact us for confirmation if you believe you have found an admin panel)
  • In other parts of the site (such as on webstore front-ends), we use third party authentications (Login with Steam, Login with Discord etc) purely to identify a player, rather than granting any additional permissions on the basis of that authentication. In these situations, a
    Broken Authentication and Session Management
    will be deemed P3, unless it can be proven that such a login does grant access to one of the above.

Bug Bounty

Researchers can opt to receive their bounty in 2 ways:

  1. As cash
  2. As credit towards a paid plan on Tebex

The reward for each bounty will be in the following ranges:

Tier 1
VRT Cash Credit
P4 $50 - $75 $85 - $125
P3 $200 - $335 $300 - $500
P2 $500 - $665 $750 - $1,000
P1 $1,165 - $1,500 $1,750 - $2,250
Tier 2
VRT Cash Credit
P4 $40 - $55 $65 - $95
P3 $150 - $250 $225 - $375
P2 $375 - $500 $565 - $750
P1 $875 - $1,125 $1,315 - $1,700

Researcher Expectations

When working with us according to this policy, you can expect us to:

  • Work with you to understand and validate your report, including a timely initial response to the submission;
  • Work to remediate discovered vulnerabilities in a timely manner; and
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
  • Payout any offered bug bounty in a timely manner to either PayPal or by Wire transfer (NB: Wire Transfers are subject to a minimum reward payout of $250)

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:

  • Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Tebex Bug Bounty and Responsible Disclosure Programme - Disclosure Form

The Tebex Bug Bounty Programme is currently closed for new submissions.
Existing submissions will be processed as soon as possible (within 10 working days).
Thank you for your interest, and we hope to re-open the bounty programme soon.