Responsible Disclosure Policy for

We take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.


We require that all researchers: If you follow these guidelines when reporting an issue to us, we commit to:


Materials hosted on these servers:

Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include, but are not limited to: In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

Intentional Vulnerabilities

The attack server contains several hacking games, which intentionally have vulnerabilities such as SQLi and XSS. The only vulnerabilities worth reporting on them would be a way to break or cheat on the games.

Things we do not want to receive

Personally identifiable information (PII)

How to report a security vulnerability?

If you believe you've found a security vulnerability please send it to us by emailing Please include the following details with your report: If you'd like to encrypt the information, please email to get a GPG key.


Based on this document:

Responsible Disclosure Policy (Example)

Posted 11-3-14 2:14 PM by Sam Bowne
Link to Hall of Fame added 1-17-15