Sencorp Games
Security Policy

Security & Responsible Disclosure

We value security researchers who help keep our games and services safe. Report vulnerabilities responsibly and we'll work with you to address them.

Last updated: Security Contact

Overview

How to Report

  • Email details & proof-of-concept
  • Include impact & reproduction steps
  • Share scope (site, app, version)

Safe Harbor

  • Act in good faith & respect privacy
  • No data exfiltration or service harm
  • We won't pursue legal action for compliant reports

Out of Scope

  • DoS/volumetric attacks
  • Social engineering
  • Third-party platforms beyond our control

1. Our Commitment

We care deeply about the security of our players and partners. If you discover a vulnerability in our websites, games, or infrastructure, please let us know so we can fix it quickly and protect our community.

2. Scope

This policy covers:

  • Official domains and subdomains owned by Sencorp Games
  • Published game clients and backend services we operate
  • Beta/staging environments explicitly provided by us for testing
  • Mobile applications distributed through official app stores

3. Out of Scope

The following are explicitly excluded from this policy:

  • Denial of Service (DoS), Distributed Denial of Service (DDoS), or volumetric attacks
  • Brute force, credential stuffing, or spam campaigns
  • Social engineering attacks against employees, contractors, or players
  • Physical attacks against Sencorp Games facilities or property
  • Vulnerabilities in third-party services, platforms, or infrastructure outside our direct control
  • Low-risk issues such as missing security headers without demonstrable security impact
  • Issues that require highly unlikely user interaction or physical access

4. How to Report

Send an email to sencorpgames@gmail.com with the following information:

  • Clear description of the vulnerability and its potential security impact
  • Steps to reproduce the issue, including proof-of-concept code, screenshots, or a short video
  • Affected asset (specific URL, app name, version number, and platform)
  • Your contact details for follow-up questions and acknowledgment
  • Any tools or techniques used in your research (optional but helpful)

Please use the subject line "Security Report" to ensure prompt review.

5. Responsible Disclosure Guidelines

Do:

  • Act in good faith and make every effort to avoid privacy violations, data destruction, or service disruption
  • Minimize impact during your research — use test accounts when possible
  • Keep all discovered vulnerabilities confidential until they are resolved
  • Stop testing immediately if you accidentally access personal, financial, or sensitive data
  • Provide reasonable time for us to remediate before any public disclosure
  • Contact us again if you don't receive acknowledgment within 72 hours

Don't:

  • Exfiltrate, alter, delete, or destroy any data you shouldn't have access to
  • Maintain persistent access to systems (e.g., backdoors, shells)
  • Exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Publicly disclose the vulnerability before we've had a chance to fix it
  • Demand payment, rewards, or bounties (unless we announce a separate bug bounty program)
  • Violate any applicable laws or regulations during your research

6. Safe Harbor

If you follow this policy and act in good faith, we will not initiate or support legal action against you for your security research. This safe harbor applies only to activities that:

  • Are conducted in accordance with this policy
  • Do not violate any applicable laws or regulations
  • Are motivated by a genuine desire to improve security

This safe harbor does not protect actions that are unlawful, malicious, or that go beyond the bounds of this policy.

7. Triage & Response Timelines

Once you submit a report, we aim to:

  • Acknowledge receipt within 72 hours (3 business days)
  • Provide initial triage and severity assessment within 5 business days
  • Keep you updated on progress at reasonable intervals
  • Prioritize remediation based on severity, exploitability, and potential impact

Critical vulnerabilities will be addressed as quickly as possible. Lower-severity issues may take longer to fix as we balance security with ongoing development priorities.

8. Credit & Acknowledgements

With your permission, we may publicly acknowledge your contribution after the vulnerability is fixed. This may include:

  • Listing your name or alias in our security acknowledgments
  • Mentioning your research in release notes (if appropriate)
  • Providing a reference for your professional portfolio (upon request)

Note: No monetary reward or bug bounty is guaranteed unless we explicitly announce a separate bug bounty program. Security acknowledgment is provided on a goodwill basis.

9. Coordinated Disclosure

We believe in coordinated vulnerability disclosure. We ask that you:

  • Give us a reasonable amount of time to fix the issue before any public disclosure
  • Work with us to determine an appropriate disclosure timeline
  • Avoid publishing exploit code or detailed technical writeups until after the fix is deployed

Typically, we aim to fix critical vulnerabilities within 30-90 days. We will communicate timelines and coordinate disclosure with you.

10. Changes to This Policy

We may update this policy as our products, infrastructure, and security practices evolve. The latest version will always be published on this page with an updated "Last updated" date.

11. Contact

For security reports and questions: sencorpgames@gmail.com

For general inquiries: Contact Page

Thank you to all security researchers who help keep Sencorp Games safe. Your contributions make our games better and our community more secure.