Searassic

Security & Bug Bounty

How to report vulnerabilities in Searassic services in a safe, respectful and responsible way.

We care about the security and stability of Searassic – both for the project itself and for the players who will eventually join the world. If you have found a vulnerability in any of our services, we appreciate responsible disclosure and want to make it as easy as possible to report it.

This page describes our security reporting guidelines and our informal bug bounty program. Even though we are still in active development, we treat security reports seriously and aim to respond in a timely and respectful way.

Scope

In scope are vulnerabilities that impact the integrity, confidentiality or availability of Searassic-related services, for example:

  • our public websites and web applications (searassic.net and subdomains),
  • our backend APIs and services connected to the Minecraft infrastructure,
  • authentication, session management and account-related logic,
  • data handling and storage for player- or staff-related information.

Out of scope

The following are considered out of scope for our bug bounty program and should not be tested:

  • Denial-of-service attacks (DoS, DDoS) or stress testing of infrastructure,
  • social engineering against team members or partners,
  • physical security attacks,
  • spam, phishing or abuse of third-party platforms (Discord, etc.),
  • use of leaked or reused credentials from external breaches,
  • purely theoretical issues without realistic impact,
  • testing that causes data loss or impacts other users in a harmful way.

Responsible testing guidelines

If you test our systems, we kindly ask you to:

  • only test against services you are authorized to access,
  • avoid accessing, modifying or deleting data that does not belong to you,
  • avoid any action that could degrade the service for other users,
  • use test accounts whenever possible, instead of real player accounts,
  • keep details of the vulnerability private until it has been addressed.

As long as you act in good faith, stay within these boundaries and do not abuse or publicly exploit vulnerabilities, we will treat your report as a responsible disclosure.

How to report a vulnerability

To report a potential vulnerability, please send us an email with as much detail as you can reasonably provide:

  • a short summary of the issue and potential impact,
  • where you found it (URL, endpoint, component, environment),
  • clear steps to reproduce the vulnerability,
  • any proof-of-concept or screenshots that help us understand the issue,
  • your contact information so we can reach back to you.

Please send your report to:
security@searassic.net

What you can expect from us

When you submit a security report, we aim to:

  • acknowledge your report within a reasonable timeframe,
  • review and verify the issue,
  • prioritize a fix based on severity and impact,
  • keep you updated on the general status (received, confirmed, fixed).

At this stage of the project, we cannot promise guaranteed monetary rewards. However, we value serious research and may offer recognition such as:

  • thank you credits on a future security acknowledgements page,
  • optional early access consideration where appropriate,
  • direct communication about fixes and related improvements.

Safe harbor

As long as you follow these guidelines, avoid exploiting issues beyond what is necessary to prove impact, and report vulnerabilities directly to us, we will treat your actions as good-faith security research.

We do not consider good-faith research that follows these rules as an attack on our services. If you are unsure whether something is allowed, you can always ask us before you continue testing.