mcuserna.me Bug Bounty Program

We at mcuserna.me understand that every website has its flaws, and we are following in the footsteps of other security-conscious websites and services and offering a bug bounty program to protect users of our website.

As our website has not grown (yet) to the point where we can offer cash rewards for bugs, we will be offering website emojis tied to the reporter's Minecraft user instead. The 🐛 (or any other bug) emoji will be rewarded along with the reason for the gift being a small summary of your most recent report accepted for rewards.

Legal

mcuserna.me (hereby referred to as MCUN) reserves the right to modify the terms and conditions (hereby referred to as the Terms) of this bug bounty program at any point in time, and your participation in this program constitutes acceptance of the Terms. Please visit this page on a regular basis to check if we have updated the Terms recently. We reserve the right to cancel this bug bounty program at any time.

Eligibility

In order to be eligible for this program and for a reward:

• You must agree to the Terms of this program and the program rules.
• You must be the first user to submit a properly reproducible bug report for your bug in order for it to be considered.
• You must be able and available to supply additional information regarding the bug if our staff need more information to reproduce and triage the bug being reported.
• Reports out of the program scope or considered a known "Nonissue" by this document may be considered a form of vulnerability disclosure but may or may not be eligible for rewards. This depends on a case-by-case basis.

Reports that are not security issues but cannot be fixed clientside may be eligible for rewards depending on impact. Please report these bugs anyways!

Rules

DO:

• Read and follow the Terms.
• Perform testing on the website using only accounts that belong to you.
• Exercise extreme caution when testing to avoid negative impact to our users and our services.
• Stop testing if you believe you have caused or may cause damage to the website, infrastructure, or any part of the service. Report your initial findings and request the team's authorization to continue testing the service.

DO NOT:

• Do not bruteforce credentials or guess credentials in order to gain access to systems used by the service.
• Do not participate in denial of service or distributed denial of service attacks against our service or any services that we depend on.
• Do not upload shells or create backdoors of any kind.
• Do not engage in any form of social engineering involving mcuserna.me staff, nor the employees of any service we depend on.
• Do not engage or target any mcuserna.me staff member during testing.
• Do not attempt to extract, download, or otherwise exfiltrate data which you believe may contain any type of information, PII or not, other than your own. Please report initial findings and request the team's authorization to continue here.
• Do not publicly disclose any vulnerabilities that are not resolved and approved by disclosure by our team.
• Do not submit reports here as a means to engage us to purchase a product or service from you.

Report Submissions

1. Required Information
   1. Title - small summary of the issue
   2. Asset - affected domain
   3. Severity - CVSS score of the vulnerability (if this is not a security bug please write "Not a security issue")
   4. Weakness - select the most appropriate vulnerability type using the OWASP website (if this is not a security bug please write "Not a security issue")
   5. Description - explain the vulnerability/bug in more detail and add information about how to reproduce
   6. Minecraft UUID - we will need this to assign a reward to your profile if your report is eligible for one
2. Validation
   1. We will validate your report and ask for additional information if needed. We may close the report if it is a duplicate, a known nonissue, or spam.
   2. If we confirm that the vulnerability exists we will update you and work on a fix internally. When the fix is rolled out, we will alert you to make sure that the vulnerability does not exist in any form anymore.
3. Rewards
   1. The most common reward is the 🐛 emoji tied to your Minecraft UUID. We can optionally grant you a different bug emoji if you ask. However, no other emojis will be granted. Usually the reason given is regarding your most recently reported vulnerability that was eligible for a reward, however if the bug is not disclosed yet we will use the generic "for finding and responsibly disclosing a bug on [asset]."
   2. If a vulnerability passes a certain threshold (usually over 8) on the CVSS score or has an extremely high impact (decided on a case-by-case basis), we will offer you the option to choose your own emoji and own reason provided the reason and emoji are not NSFW/18+ (i.e. no middle finger emoji and the reason must not contain any inappropriate language).
4. Disclosure
   1. After the bug has been fixed and both parties confirm there is no trace of the bug left, you are able to request disclosure for the bug which will update your emoji reason to a small description of what bug you reported (i.e. "for finding and responsibly disclosing an XSS bug on [asset].")
   2. We may redact sensitive information, include a summary written by the development team, or make adjustments to information about the report to ensure its clarity and accuracy if needed.

The more detailed the report, the faster the issue can be solved and the faster you get your reward!

Detailed reports should:

• clearly describe the impact of the bug on MCUN and its users and how it could be exploited
• use the CVSS v3 calculator to score the report
• include a proof of concept in the form of a screenshot or video (video hosted on Streamable.com preferred)
• include the environment in which you found this bug (browsers, app version devices, tools, configuration, any accounts used during testing)
• include detailed and easy to follow reproduction steps
• include recommendations to solve the issue

As part of a report, you should:

• be responsive to requests for additional information
• participate in validation and testing efforts once the MCUN team has advised that the issue has been resolved
• always be polite and respectful to MCUN team members.

Reports can be closed for spam if they are incomprehensible, not written in English, contain abusive behavior or harassment, or have no effort to identify a security vulnerability.

Reports can be closed for other reasons if they:

• violate program rules
• are submitted for assets that do not belong to MCUN
• identify known nonissues
• describe issues that are not exploitable (this depends on a case by case basis)
• require social engineering or depend on other unlikely interactions

Scope

In Scope:

• mcuserna.me
• api.gapple.pw
• api.mcuserna.me

Out of Scope:

• api.ashcon.app
• crafatar.com
• crafthead.net
• Any other domain that mcuserna.me connects to when looking up a user profile

Please note that while issues with these domains are out of scope, here is a list of contact methods for the top 3 out of scope domains:

• api.ashcon.app - ashcon @ partovi.net
• crafatar.com - https://github.com/crafatar/crafatar/issues
• crafthead.net - andrew @ steinborn.me

If you must report an issue regarding the Mojang API itself, please report the issue by creating a private JIRA ticket in the WEB project.

Known Nonissues

• Reports regarding insecure SSL/TLS configuration
• OPTIONS/TRACE HTTP method enabled
• Disclosure of known public files and/or directories
• Presence of autocomplete functionality in form fields
• Cookies that lack HTTP Only or Secure settings
• Clickjacking and issues only exploitable through clickjacking
• Attacks requiring physical access to a user's device or MITM attacks
• Attacks dependent on social engineering a user or MCUN staff member
• Lack of policy files (i.e. robots.txt) or misconfiguration in a policy file
• Configuration of/missing security headers
• Mixed content issues
• Self-XSS and issues that are only exploitable through Self-XSS

Appropriate Proof of Concepts

• SQLi - The sleep command is enough unless our team asks for another command to be ran. Do not attempt to read, modify, or alter data that does not belong to you. Do not perform ANY additional actions.
• RCE - The whoami command is enough unless our team asks for another command to be ran. Do not attempt to read, modify, or alter data that does not belong to you. Do not perform ANY additional actions.
• Subdomain Takeover - A sample HTML page with your Minecraft UUID in a <h1> tag is enough. We would appreciate if you placed the HTML page inside of a random subdirectory (ideally name generated through a random UUIDv4 generator). Ensure to include this URL inside of your report. Reports for this vulnerability where you cannot demonstrate to us your ownership of the domain are not eligible for rewards.
• XSS - A simple alert(document.cookie) should be evaluated. If document.cookie is blank, document.domain should be evaluated instead.

How to Report

Please submit all reports to security @ mcuserna.me with the subject "Security Report: [Report Title Here]".

If you have any questions about this program, its rules, or need clarification on anything listed in this document, please do not hesitate to contact me at lucky @ mcuserna.me. Thank you, and stay safe,

The mcuserna.me Development Team

Hall of Fame

This Hall of Fame only lists users who have reported security issues with the website. A big thanks to all users listed here for helping keep the website and its users safe.

• 53c5908bdb86493d96511abf941d7a17 - found and responsibly disclosed a Reflected XSS bug on 7th September 2021.
• 02e1d6772d0f4121b01533c3e143686f - found and responsibly disclosed a Stored XSS bug on 14th September 2022.
• 02e1d6772d0f4121b01533c3e143686f - found and responsibly disclosed a critical Stored HTML attribute injection bug on 23rd September 2022.