Tebex invites the responsible disclosure of any vulnerabilites or bugs that risk making our customer experience less secure.
For the first disclosure of each in-scope bug, we will reward the researcher in line with the VRT of the bug reported.
Research done and disclosures made in good faith and in line with this policy will come under Safe Harbor provisions.
Tebex believes that a healthy and trusting relationship with security researchers around the world is the best way to make customers more secure. We invite security researchers to help us in discovering vulnerabilities missed during the software development process, helping to protect millions of gamers, server owners and content creators globally.
If you are a security researcher who has found a vulnerability or security bug in a Tebex product, we want to hear from you. The first report of any vulnerability of an in-scope product as defined below may receive a bounty reward. Even if a vulnerability is out of scope, or has otherwise already been reported, we will publicly acknowledge your contributions when we fix the vulnerability.
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
Our application is split into three sections: Tier 1 properties, Tier 2 properties and out-of-scope properties. Within all properties, only security vulnerabilities, where a bug can be used to gain access to accounts, data, perform denial-of-service attacks or similar, will be considered in-scope:
SaaS payment aggregation platform. Payments functionality:
NB: Payment detail collection is generally considered out of scope, as we rely on third parties to do this collection.
A valid basket must have been created via one of the example webstores below.
Balance holding platform for mechants selling via checkout.tebex.io
Authentication via OAuth2, wallet management, payout method creation - in order to login via OAuth2, a valid account on server.tebex.io must be used.
NB: The gathering of payout method details and identity verification is generally considered out of scope, as these are performed via a third party platform.
SaaS eCommerce platform using Steam username verification
Webstores do not directly handle payments - this is done via checkout.tebex.io. Player identification is performed via Steam, but this doesn't grant any additional access to purchase history, saved payments etc.
NB: A valid Steam account is required to identify as a player
SaaS eCommerce platform using CFX.re username verification
Webstores do not directly handle payments - this is done via checkout.tebex.io. Player identification is performed via CFX.re, but this doesn't grant any additional access to purchase history, saved payments etc.
NB: A valid CFX.re account is required to identify as a player
API platform for fetching payment and command state based on purchases
Documentation available at: https://docs.tebex.io/plugin/
NB: In order to authenticate against the plugin, a valid secret key, obtained from server.tebex.io must be used
Account/platform management for customers
If your vulnerability requires a particular plan, please contact our support team for a limited-duration upgrade.
For the avoidance of doubt, all other domains or *.tebex.io subdomains are out of scope, with the following exceptions:
We use the Bugcrowd VRT to classify and rate all bugs: https://bugcrowd.com/vulnerability-rating-taxonomy, with the below specified variances. In all cases, our classification of a particular bug is considered final, but we will, where possible explain why our classification is different to the one proposed by a researcher if appropriate.
Due to the specific nature of our application, the following variancees to the default VRT will apply:
Broken Authentication and Session Management, these will only be deemed P1 if the bypass grants access to one of:
Broken Authentication and Session Managementwill be deemed P3, unless it can be proven that such a login does grant access to one of the above.
Researchers can opt to receive their bounty in 2 ways:
The reward for each bounty will be in the following ranges:
|P4||$50 - $75||$85 - $125|
|P3||$200 - $335||$300 - $500|
|P2||$500 - $665||$750 - $1,000|
|P1||$1,165 - $1,500||$1,750 - $2,250|
|P4||$40 - $55||$65 - $95|
|P3||$150 - $250||$225 - $375|
|P2||$375 - $500||$565 - $750|
|P1||$875 - $1,125||$1,315 - $1,700|
When working with us according to this policy, you can expect us to:
When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
The Tebex Bug Bounty Programme is currently closed for new submissions.
Existing submissions will be processed as soon as possible (within 10 working days).
Thank you for your interest, and we hope to re-open the bounty programme soon.