Security & Responsible Disclosure

comps.gg/security · responsible disclosure ← comps.gg

# Security & Responsible Disclosure

Last updated: 2026-06-26 · Contact: [email protected] · Test target: demo.comps.gg

Report something real and in scope and we'll fix it fast, credit you, and pay cash for the serious stuff. No legal games — see Safe harbour.

## What's actually worth your time

These are the crown jewels. A working PoC against any of them is high severity and paid as such. Aim here, not at missing headers.

Extracting real cash — turning site credit into withdrawable money you weren't owed, or moving funds between accounts.
Paying less than the price — underpaying or paying nothing at checkout. Discount stacking, price tampering, basket manipulation.
Peeking an outcome — learning a draw or instant-win result before you commit to pay, then bailing if you lost.
Acting as someone else — reading or changing another account's tickets, orders, wallet or personal data. Auth / ownership bypass.

## Rewards

Fixed bands, paid in cash. First valid report on an issue wins; dupes and known issues pay nothing. Final severity is ours to call, and we'll show our working.

Severity	Looks like	Reward
P1 · critical	cash extraction, auth bypass, pre-pay outcome peeking, full account takeover	£500–£1,000cash
P2 · high	underpaying at checkout, reading another user's private data, stored XSS in an authed area	£150–£300cash
P3 · medium	lower-impact logic flaws, limited info disclosure, CSRF on a meaningful action	£50–£100cash + credit on the wall
P4 · low/info	best-practice findings with no demonstrated impact	—hall of fame

## Scope

### In scope — test here

demo.comps.gg and api-demo.comps.gg — our dedicated test environment
auth, checkout, wallet, discounts, referrals and draw logic on that target
logic flaws that let you underpay, double-claim, replay, or see hidden outcomes early
anything under "what's actually worth your time"

### Out of scope — don't

live operator production sites — report suspected issues, do not exploit them
DoS, volumetric / load testing, brute force
missing headers, SPF / DMARC / DNSSEC, cookie flags with no demonstrated impact
self-XSS, clickjacking on pages with no sensitive action, tabnabbing
scanner output with no working PoC
social engineering, phishing, physical attacks, anything aimed at staff or customers

! go easy on the demo

The demo is a small, shared environment. Please don't brute-force, fuzz at volume, or run high-rate automated scans against it — you'll knock it over for everyone and trip its abuse protection, which just gets you blocked. Manual, targeted testing finds the good bugs anyway.

! white-label note

Many sites run our software for different operators. Test only against demo.comps.gg. If you think a bug hits a live operator, report it — don't reproduce it against real competitions or real customers. Those sites aren't ours to authorise you against.

## How to report

Email [email protected] with the subject "Security Disclosure" — one issue per report. URL/endpoint, repro steps, and what an attacker gains. A short screen recording or curl sequence beats prose.
We acknowledge your report and give you a tracking reference. We aim to get back to you within a few business days.
We triage and rate it as soon as we reasonably can.
We fix, then pay the agreed reward and (with your OK) add you to the wall. Please hold disclosure until the fix ships.

## Safe harbour

Research in good faith and we've got your back.

If you make a sincere effort to follow this policy — in-scope targets only, don't pull more data than needed to prove the bug, don't degrade the service, don't disclose before we've fixed it — we will not pursue or support legal action against you, and we'll treat your work as authorised. If a third party comes after you over in-scope activity, we'll state on record that you acted within this policy. Unsure if something's allowed? Ask first: [email protected].

## security.txt

Lives on every site we run, so this policy is discoverable without sitting in anyone's nav. RFC 9116.

# https://comps.gg/.well-known/security.txt
Contact: mailto:[email protected]?subject=Security%20Disclosure:
Policy: https://comps.gg/security/
Acknowledgments: https://comps.gg/security/#hall-of-fame
Preferred-Languages: en
Canonical: https://comps.gg/.well-known/security.txt

## Hall of fame

Researchers who've helped keep comps.gg safe.

empty — be the first.

Offered at our discretion. Rewards, scope and terms may change; this page governs. · [email protected]