mcuserna.me Bug Bounty Program

We at mcuserna.me understand that every website has its flaws, and we are following in the footsteps of other security-conscious websites and services and offering a bug bounty program to protect users of our website.

As our website has not grown (yet) to the point where we can offer cash rewards for bugs, we will be offering website emojis tied to the reporter's Minecraft user instead. The 🐛 (or any other bug) emoji will be rewarded along with the reason for the gift being a small summary of your most recent report accepted for rewards.

mcuserna.me (hereby referred to as MCUN) reserves the right to modify the terms and conditions (hereby referred to as the Terms) of this bug bounty program at any point in time, and your participation in this program constitutes acceptance of the Terms. Please visit this page on a regular basis to check if we have updated the Terms recently. We reserve the right to cancel this bug bounty program at any time.

Eligibility

In order to be eligible for this program and for a reward:

Reports that are not security issues but cannot be fixed clientside may be eligible for rewards depending on impact. Please report these bugs anyways!

Rules

DO:

DO NOT:

Report Submissions

  1. Required Information
    1. Title - small summary of the issue
    2. Asset - affected domain
    3. Severity - CVSS score of the vulnerability (if this is not a security bug please write "Not a security issue")
    4. Weakness - select the most appropriate vulnerability type using the OWASP website (if this is not a security bug please write "Not a security issue")
    5. Description - explain the vulnerability/bug in more detail and add information about how to reproduce
    6. Minecraft UUID - we will need this to assign a reward to your profile if your report is eligible for one
  2. Validation
    1. We will validate your report and ask for additional information if needed. We may close the report if it is a duplicate, a known nonissue, or spam.
    2. If we confirm that the vulnerability exists we will update you and work on a fix internally. When the fix is rolled out, we will alert you to make sure that the vulnerability does not exist in any form anymore.
  3. Rewards
    1. The most common reward is the 🐛 emoji tied to your Minecraft UUID. We can optionally grant you a different bug emoji if you ask. However, no other emojis will be granted. Usually the reason given is regarding your most recently reported vulnerability that was eligible for a reward, however if the bug is not disclosed yet we will use the generic "for finding and responsibly disclosing a bug on [asset]."
    2. If a vulnerability passes a certain threshold (usually over 8) on the CVSS score or has an extremely high impact (decided on a case-by-case basis), we will offer you the option to choose your own emoji and own reason provided the reason and emoji are not NSFW/18+ (i.e. no middle finger emoji and the reason must not contain any inappropriate language).
  4. Disclosure
    1. After the bug has been fixed and both parties confirm there is no trace of the bug left, you are able to request disclosure for the bug which will update your emoji reason to a small description of what bug you reported (i.e. "for finding and responsibly disclosing an XSS bug on [asset].")
    2. We may redact sensitive information, include a summary written by the development team, or make adjustments to information about the report to ensure its clarity and accuracy if needed.

The more detailed the report, the faster the issue can be solved and the faster you get your reward!

Detailed reports should:

As part of a report, you should:

Reports can be closed for spam if they are incomprehensible, not written in English, contain abusive behavior or harassment, or have no effort to identify a security vulnerability.

Reports can be closed for other reasons if they:

Scope

In Scope:

Out of Scope:

Please note that while issues with these domains are out of scope, here is a list of contact methods for the top 3 out of scope domains:

If you must report an issue regarding the Mojang API itself, please report the issue by creating a private JIRA ticket in the WEB project.

Known Nonissues

Appropriate Proof of Concepts

How to Report

Please submit all reports to security @ mcuserna.me with the subject "Security Report: [Report Title Here]".

If you have any questions about this program, its rules, or need clarification on anything listed in this document, please do not hesitate to contact me at lucky @ mcuserna.me. Thank you, and stay safe,

The mcuserna.me Development Team

Hall of Fame

This Hall of Fame only lists users who have reported security issues with the website. A big thanks to all users listed here for helping keep the website and its users safe.