Security Vulnerability Disclosure

Responsible Security Research Program

PLLAY is committed to maintaining the security of our platform. We welcome responsible security research and provide a clear framework for reporting vulnerabilities.

Report a Vulnerability security@pllay.io

Scope

Covered Systems

  • All PLLAY APIs and endpoints
  • Gaming platforms: BeatMatch, IQ, FameX
  • Developer tools and SDKs
  • Enterprise services and infrastructure
  • Payment processing systems
  • Corporate websites and domains

Out of Scope

  • Third-party integrations and services
  • Client-side implementations by partners
  • Social engineering attacks
  • Physical security testing
  • Denial of service attacks

Safe Harbor Provisions

Legal Protection Guarantee

PLLAY provides comprehensive legal protection for security researchers conducting good-faith testing within our defined parameters.

Protected Activities

  • • Vulnerability research and testing
  • • Proof-of-concept development
  • • Responsible disclosure reporting
  • • Security tool usage for testing

Legal Protections

  • • Immunity from DMCA claims
  • • Computer Fraud and Abuse Act protection
  • • No legal action for good-faith research
  • • Coordinated disclosure support

How to Report Vulnerabilities

Primary Contact

Send detailed vulnerability reports directly to our security team:

security@pllay.io

Required Information

Vulnerability Details

  • • Vulnerability classification (OWASP Top 10, CWE)
  • • Affected systems and components
  • • Step-by-step reproduction instructions
  • • Proof-of-concept or evidence
  • • Potential impact assessment

Researcher Information

  • • Full name and contact information
  • • Security research credentials
  • • Preferred method of communication
  • • Recognition preferences
  • • Disclosure timeline preferences

Encryption Support

For sensitive vulnerability reports, we support encrypted communications:

PGP Key ID: 4096R/ABCD1234 Download Public Key

Response Timeline

1

Initial Acknowledgment

Within 48 hours: Confirmation of report receipt and initial triage

✓ Automated confirmation sent
2

Initial Assessment

Within 5 business days: Preliminary severity assessment and validation

⚡ Priority review for critical issues
3

Regular Updates

Every 7 days: Status updates throughout investigation and remediation

📊 Progress tracking dashboard access

Resolution & Recognition

Upon resolution: Final report, fix confirmation, and researcher recognition

🏆 Hall of Fame entry for verified discoveries

Recognition Program

No Monetary Bounty Program

PLLAY currently does not offer monetary rewards for vulnerability disclosures. We focus on public recognition and professional acknowledgment for security researchers.

Recognition Options

  • Security Researcher Hall of Fame
  • Public acknowledgment in security advisories
  • Professional references and recommendations
  • Invitation to security conferences and events

Hall of Fame Criteria

  • Verified security vulnerability
  • Responsible disclosure followed
  • Clear proof-of-concept provided
  • Researcher consent for recognition

Technical Guidelines

Preferred Report Formats

  • CVSS v3.1: Severity scoring preferred
  • OWASP Classification: Map to OWASP Top 10
  • CWE References: Include relevant CWE numbers
  • Step-by-Step PoC: Reproducible instructions
  • Impact Assessment: Business risk analysis

Communication Protocols

  • Primary: Email to security@pllay.io
  • Encryption: PGP supported for sensitive data
  • Language: English preferred, translations available
  • Updates: Weekly status reports provided
  • Coordination: Disclosure timeline negotiable

Public Disclosure Coordination

PLLAY is committed to coordinated disclosure. We work with researchers to establish mutually agreeable timelines for public disclosure, typically:

90 days
Standard disclosure window
30 days
Critical vulnerabilities
Custom
Negotiable timeline