Bug Bounty Program

Why This Program Exists

Welcome to the LoliLand bug bounty program! The security and privacy of our users are extremely important to us. In addition to our internal teams working to keep your data and our services secure, this program allows players and security researchers to help us identify and fix security issues faster by reporting vulnerabilities.

The goal of this program is simple: to help us detect and resolve vulnerabilities before they can be abused to harm users or services.

How to Contact Us

Before submitting a report, please read this page in full. It will help you understand the scope of the program, reporting requirements, and cases that are not eligible for rewards.

Send reports and program-related questions to security@loliland.ru. If the issue is confirmed and meets our reward criteria, we will review it and keep you informed about the progress.

Participation Rules

Basic Rules

All program-related messages (reports, questions, clarifications) MUST be sent to security@loliland.ru.
Information about a vulnerability must be disclosed only to LoliLand Studios and must not be publicly shared until we have had a reasonable amount of time to fix it.
Rewards for discovered bugs and vulnerabilities are available only to individuals aged 18 or older.

Safe Testing Rules

Perform testing only through your own personal accounts.
Do not access or use other users' accounts without the explicit consent of the account owner.
Avoid any actions that may violate data privacy or lead to data modification or destruction.
Do not cause service outages, degradation, or other actions that affect the availability of our services (including denial of service).

Duplicate Reports and Priority

If the same vulnerability is reported by multiple researchers, we apply the following rules:

A reward may only be paid for the first valid report of a vulnerability.
If multiple reports are received at the same time, priority is determined by the earliest timestamp.
Duplicate reports are still reviewed, but they are not eligible for a reward.
Reports that add meaningful context or impact details to a known issue may be partially considered at our discretion.
If your report is a duplicate of a previously submitted report, we will let you know.

What to Include in a Report

The more complete and precise your report is, the faster we can verify it, reproduce it, and send it for remediation.

Context and Description

Contact information — your name, email address, and preferred contact method.
Vulnerability classification and affected component — specify the vulnerability type (for example, XSS, SQL injection, RCE, authentication bypass, etc.) and where it appears (see the "What Is In Scope" section).
Technical description — describe the vulnerability in detail and, if possible, its root cause. Our audience is technical, so precision matters.
Vulnerability location — specify where the issue exists: URL/endpoint, file path, line of code, open port, API route, etc.

Verification and Impact Assessment

Reproduction steps — clear, numbered steps. This is a critical part of verification and remediation.
Proof of concept (PoC) — screenshots, video, or code demonstrating the issue.
Testing limits — do not perform destructive actions or access data beyond what is necessary to confirm the vulnerability.
Impact assessment — describe what an attacker could achieve by exploiting the issue.
Suggested remediation (optional) — if you have recommendations for fixing the issue, we are happy to review them.

If You Encounter Player Data

IMPORTANT: If you accidentally discover player data, do not view, modify, save, store, share, or otherwise access it in any way. Immediately delete any local copies and report the incident in your submission.

What Is Not Eligible for a Reward

Below are cases that are outside the scope of the program or are not considered valid grounds for a payout.

Explicitly Prohibited or Irrelevant Activities

DoS/DDoS attacks
Password brute force and credential stuffing
Spam attacks or attacks using social engineering techniques

Reports Without Confirmed Security Impact

Reports that do not represent any security risk
Account or email enumeration
SPF, DKIM, or DMARC email configuration issues
Issues related to rate limiting or throttling
Missing security headers without demonstrated security impact
Clickjacking on pages that do not contain sensitive actions
CSRF affecting logout or operations that do not change state
Vulnerabilities in third-party dependencies without a working proof of concept

Cases Outside the Program Scope

Self-exploitation (issues that can only be exploited by the affected user)
Game exploits or cheats that do not affect server security
Gameplay balance issues
Errors in user-generated content or modifications
Vulnerabilities requiring physical access to a device

What Is In Scope

LoliLand Game Client

PC game client

LoliLand Game Server

PC game server

LoliLand Launcher

Application for launching/updating the game client

Web

loliland.ru - Main website

Public APIs

Authentication, authorization, accounts, game services, store API, balance top-ups, etc.

Third-Party Service Integrations

OAuth, social sign-in (LoliLand-side issues only)

Vulnerability Severity Levels

The higher the severity level, the larger the reward we may offer.

Critical

For example, remote code execution on our servers, large-scale data leakage

High

For example, authenticated RCE, XSS on authentication pages

Medium

For example, limited IDOR, CSRF on non-critical actions

Low

Anything that does not pose a serious threat, minor issues

Legal Terms and Researcher Protection

When Research Is Considered Permitted

We consider research to be permitted under this policy if it:

is conducted lawfully and in good faith;
is intended to improve security rather than cause harm;
is performed in compliance with this program's rules.

What This Means on Our Side

For such activity, we:

will not initiate or support legal action, including civil lawsuits, and will not file complaints with law enforcement, if in our sole discretion the activity is a good-faith attempt to comply with this policy;
will not bring claims for bypassing technology use controls if such actions are performed within the scope of permitted research;
will waive, to a limited extent, restrictions in our Terms of Service and Acceptable Use Policy if they interfere with research conducted in accordance with this policy;
consider activity conducted in accordance with this policy to be "authorized" under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and similar international laws.

Important Notes

You are still expected to comply with all applicable laws.
If you are unsure whether your research method complies with this policy, contact security@loliland.ru first.
LoliLand Studios reserves the final decision on whether submitted information complies with this policy and whether the reported vulnerability is credible.

Rewards and Restrictions

You are responsible for any taxes associated with rewards.
We may change the terms of this program or terminate it at any time, but changes will not be applied retroactively to reports already submitted.
Reports from persons whom we are legally prohibited from paying are not eligible for rewards.
Employees of LoliLand Studios and their family members are not eligible for rewards.