Skip to content

Legal

Security Disclosure Policy

Coordinated-disclosure programme for security researchers. Scope, safe-harbour language, reporting channel, optional PGP, and recognition.

Last updated

1. Summary

If you’ve found a security issue affecting our players, our funds, or our service, please tell us. This page is the formal commitment we make to good-faith researchers in return.

2. Scope

The following targets are in scope:

  • theultimatepokergame.com and all subdomains, including the marketing site, the application (app.), and the API (api.).
  • Mobile clients we publish under our own developer account.
  • Public-facing portions of our infrastructure (mail server reputation, DNS configuration, TLS configuration).

The following are out of scope:

  • Third-party services we use (Sumsub, NOWPayments, our email provider, our hosting provider). Report those to the vendor directly; we’ll happily forward.
  • Findings derived from physical attacks, social engineering against our staff or our vendors’ staff, denial-of-service attacks, or volumetric / load testing.
  • Self-XSS (where the only victim is the person triggering the payload).
  • Missing security headers without a demonstrable impact path.
  • Outdated software / library versions without a demonstrable vulnerability.
  • Vulnerabilities in extensions you’ve installed in your own browser.

3. Safe harbour

We will not pursue civil or criminal action against a researcher who:

  1. Acts in good faith to identify or report a vulnerability.
  2. Does not access more data than necessary to demonstrate the issue.
  3. Does not modify or destroy data belonging to others, or downgrade availability for other players.
  4. Does not run automated scanners against our production environment without contacting us first.
  5. Reports the issue privately to the address below and gives us reasonable time to remediate before public disclosure.
  6. Does not test using a real player’s funds, accounts, or personally identifiable information other than their own.
  7. Complies with applicable law.

Where your testing inadvertently violates these conditions, contact us — we’d rather talk it through than escalate.

4. How to report

Email security-disclosure@theultimatepokergame.com with:

  • A clear description of the issue.
  • Steps to reproduce, including any payloads, URLs, and request/response examples.
  • The impact in your own words: what could an attacker do?
  • Any logs, screenshots, or video that help.
  • A handle for credit, or “please do not credit me”.

A PGP key is available on request from the same address for sensitive reports.

5. What happens next

TimeWhat we do
Within 2 business daysAcknowledge receipt. Triage opens.
Within 5 business daysConfirm severity, ask any clarifying questions.
Within 30 daysRemediation for high / critical issues. Plan and timeline for lower-severity issues.
Public disclosureCoordinated with you. Default 90 days from acknowledgement, extendable by mutual agreement.

6. Rewards

We do not currently run a paid bug-bounty programme. We offer:

  • Public credit on this page (where you ask for it).
  • A swag pack for noteworthy reports.
  • Direct introductions to the engineering team for follow-up.
  • Where a report has materially protected players from financial loss, a discretionary cash reward paid in USDT, USDC, or bank transfer.

This may change. We will not retroactively reduce a previously-agreed reward.

7. Hall of fame

Researchers who have helped harden the Service (with permission):

  • No public reports yet. You could be the first.

8. Contact

security-disclosure@theultimatepokergame.com. For unrelated security questions about your own account, use support@theultimatepokergame.com instead.