Security

Found a bug or vulnerability?

Disclosure

We'd be grateful if you disclose bugs found to us in a coordinated manner to [email protected], and encourage you to look for them. However, we do not have a paid bounty program running at the moment, so we cannot reward you with anything you find except our eternal gratitude.

Hall of Fame

The Hall of Fame is where we acknowledge the researchers who've reached out and disclosed vulnerabilities on our site. If you want to see your name listed, reach out with any vulnerabilities you find, and we'll put your name up if it qualifies.

What does not qualify?

Note that not every missing security measure is a vulnerability, for example static sites that doesn't set X-Frame-Options are probably not vulnerable to clickjacking, since there's no sensitive action that can be performed on the site. Please verify that your vulnerability actually enables performing an action an attacker shouldn't be able to do, like making a data-modifying request on behalf of another user or get access to data they shouldn't have access to. Missing hardening measures that don't play a part in a larger vulnerability might get credited, but this depends on our evaluation of severity.

  • Reports that don't include steps to reproduce the bug, or only include the steps in video form.
  • Bugs that don't affect the latest version of modern browsers (Chrome, Firefox, Safari, Edge), or bugs related to browser extensions.
  • Bugs disclosing public or non-sensitive information on a user, like showing that an email is signed up or that an app uses our service.
  • Bugs that have already been reported by someone else, or that we are already aware of.
  • Bugs in services not hosted by us, unless caused by a misconfiguration on our side.
  • Behavior we've determined to be an acceptable risk, usually for improved usability.

While we encourage you to look for bugs, please adhere to the following rules to ensure the service experience is not disrupted for other users.

Rules

  • Do not attempt to gain access to someone else's account or data.
  • Do not perform attacks that might impact service availability, like DDoS or spam attacks.
  • Do not publicly disclose a bug before it has been fixed.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we'll probably ban your IP address.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • When in doubt, ask.

As long as you adhere to the rules, we promise a human will respond within 1-3 business days and keep you updated as we work to fix the bug you found. We will not take legal action against you as long as you play by the rules.

Scope

We appreciate reports on vulnerabilties in all services we host under *.megacool.co, mgcl.co, megacool.medal.tv or other domains, but the most likely sites to contain interesting bugs include:

  • dashboard.megacool.co: This is our main interface with our developers, with session management, input forms, etc.
  • mgcl.co: Our main link handling service. Links generated by our SDK mostly use this domain. There's no login here, but lots of ways to redirect users to apps or other websites.

The following domains are excluded:

  • status.megacool.co: Hosted by a third party, Uptimerobot. Reach out to them directly for any issues discovered.