At Aghanim, we take the security of our products and users seriously. We welcome responsible disclosure of vulnerabilities and appreciate the efforts of security researchers who help us improve.
Eligibility
To participate in this program and be eligible for rewards, you must:
- Be at least 18 years old, or the age of majority in your jurisdiction (whichever is higher)
- Comply with all applicable laws in your jurisdiction
- Provide accurate identity and tax information (e.g. W-9 for US residents, W-8BEN for non-US individuals) before any payout is issued
Aghanim may decline to issue a reward to anyone whose participation is prohibited by law.
Scope
Hosts:
aghanim.comapi.aghanim.comdashboard.aghanim.comdashboard-api.aghanim.comevents.aghanim.comevents-web.aghanim.comhub-api.aghanim.comhub-api-global.aghanim.commy.aghanim.commy-api.aghanim.compay.aghanim.compay-api.aghanim.coms2s-api.aghanim.comsdk-api.aghanim.comupload.aghanim.com*.aghanim.app
SDKs:
- Aghanim Android SDK
- Aghanim Unity SDK
Out of Scope
Attack types we do not accept:
- Denial of Service (DoS/DDoS), traffic floods, resource exhaustion
- Social engineering of Aghanim staff, customers, or partners (e.g. phishing, impersonation, vishing)
- Physical attacks against offices, data centers, or hardware
- Brute-force or credential-stuffing attacks against authentication endpoints
- Email or SMS flooding, including abuse of password-reset or verification flows
- Aggressive automated scanning that degrades service performance
Findings we do not consider security issues on their own:
- Missing security headers (CSP, HSTS, X-Frame-Options, etc.) without a demonstrated exploit
- Missing rate limits on non-authentication endpoints without demonstrated harm
- DNS records (SPF, DKIM, DMARC) or SSL/TLS configuration issues without material impact
- Disclosure of public information, software versions, banners, or stack traces without leveraged impact
- Disclosure of public, publishable, or client-side keys for third-party providers (e.g. payment processors, analytics SDKs) that are designed to be safe to embed in untrusted clients
- Clickjacking on pages without sensitive state-changing actions
- CSRF on logout, login, or other non-sensitive actions
- Self-XSS (requires victim to paste payload into their own browser)
- Open redirects on non-sensitive paths
- Account or email enumeration without further material impact
- Tabnabbing on pages without authenticated state
- Reports based solely on automated-scanner output, without a working proof of concept
- Reports presenting purely theoretical impact without a realistic exploitation scenario (e.g. speculative race conditions, hypothetical exploit chains, or reports lacking a reproducible proof of concept)
Out-of-scope assets and environments:
- Third-party services, libraries, or integrations not owned by Aghanim (e.g. payment providers, analytics SDKs, OAuth providers)
- Vulnerabilities that depend on outdated browsers, operating systems, or end-user malware
- Vulnerabilities that require a rooted, jailbroken, or otherwise compromised device, unless the issue results in compromise of other users, backend systems, or sensitive platform data
- Vulnerabilities in a game integrator's own backend, code, infrastructure, or implementation are out of scope unless they compromise Aghanim's platform security boundaries
Business-logic exclusions:
- Bypassing plan tiers, feature gates, or trial limits without compromising another customer's data or funds
- Test-mode payment behavior that does not affect live mode
- Issues that require a malicious game integrator acting against their own players (this is a trust boundary handled in the integration contract, not a security vulnerability)
- Abuse scenarios that rely solely on self-funded transactions, self-referrals, or manipulation of the attacker's own account or in-game economy, unless they demonstrably affect other players, other games, or Aghanim's financial integrity
- Fraud scenarios that require stolen payment methods, compromised third-party accounts, or social engineering of other users — these describe abuse of stolen inputs, not vulnerabilities in Aghanim
- Reports characterizing Aghanim's documented authentication and authorization methods as vulnerabilities (e.g. login by Player ID, composite authorization). These are intentional integration patterns — the game integrator chooses which player identifier to use and how strongly to protect it
Examples of in-scope vulnerabilities
The categories below illustrate the kinds of issues we are most interested in. The list is not exhaustive — anything with material security impact on Aghanim or its users is welcome.
Account and authentication:
- Account takeover of Aghanim Dashboard, player accounts, or Game Hub users
- Authentication bypass on S2S, dashboard, or hub APIs
- OAuth and social-login flow vulnerabilities (Apple, Discord, Facebook, Google, Telegram, OIDC)
- JWT or session-token forgery, replay, or insufficient revocation
- Cross-tenant access: one game reading or modifying another game's data
Payment and order integrity:
- Tampering with SKU, price, currency, or item quantity during checkout
- Bypassing payment to receive paid items, subscriptions, or entitlements
- Webhook replay leading to duplicate item grants (idempotency bypass)
- Refund or dispute manipulation affecting other games or players
- Subscription state manipulation (extending, reactivating, or transferring without payment)
- Unauthorized creation, duplication, or transfer of virtual currency, inventory, or entitlements
Platform and data integrity:
- Remote code execution or command injection on any in-scope host
- SQL injection, SSRF, or insecure deserialization
- Stored or reflected XSS in the Dashboard, Game Hub, or checkout flows
- CSRF on sensitive state-changing actions (payment, account changes, dashboard settings)
- Exposure of PII, payment metadata, API keys, or internal credentials
Rules of engagement
When testing our systems, you agree to:
- Act in good faith and avoid privacy violations
- Only access data that belongs to you or test accounts
- Not modify, destroy, or exfiltrate user data
- Avoid disrupting our services or degrading performance
- Immediately stop testing and report if sensitive data is exposed
- Not access additional systems, accounts, or data beyond what is minimally necessary to demonstrate the vulnerability
- Cooperate in good faith with Aghanim during triage and remediation, including responding to reasonable requests for additional reproduction details or PoC artifacts
Testing guidelines
These operational guidelines help you stay within the rules of engagement and make your reports easier to triage.
- Use test accounts. Create your own accounts for testing. Do not interact with accounts, games, or data that belong to other users.
- Identify your traffic. Where technically feasible (browser, CORS, and mobile-SDK constraints permitting), include the header X-Bug-Bounty: <your-email> in requests so we can distinguish research from real attacks during incident review.
- Throttle automated tools. Avoid high-volume automated scanning or fuzzing that may impact service availability or performance. Stop immediately if you observe instability or degradation. Aggressive automation against production is treated as out of scope.
- Limit proof of concept. Demonstrate the vulnerability with the minimum necessary impact. Do not pivot, escalate, persist, or move laterally beyond what is required to prove the issue.
- Handle sensitive data carefully. If you encounter another user's data, credentials, or payment information, stop immediately, do not download or retain it, and report what you found. Redact sensitive values in your report.
- Avoid production side effects. Do not perform actions that create real charges, send real notifications to other users, or alter shared data.
Reporting a vulnerability
Please report vulnerabilities via the form below or bugbounty@aghanim.com.
Include:
- Clear description of the issue
- Step-by-step reproduction instructions
- Proof of concept (PoC)
- Potential impact
- Suggested fix (optional)
We aim to acknowledge receipt within 3 business days and provide an initial triage assessment within 10 business days. We will keep you informed throughout the process.
Safe Harbor
If you make a good faith effort to comply with this policy, we consider your research to be authorized. In addition:
- We will not pursue legal action against you
- We will not report your activity to law enforcement
This applies only if:
- You stay within the defined scope
- You follow the rules of engagement
- You do not cause harm to users or systems
Rewards
Rewards are determined by Aghanim based on the severity of the vulnerability and its impact on Aghanim's platform and users.
| Severity | Example | Reward |
|---|---|---|
| Critical | Remote code execution, account takeover | $1250 |
| High | Authentication bypass, data exposure | $550 |
| Medium | XSS, privilege escalation | $250 |
| Low | Information disclosure | $50 |
Aghanim uses CVSS v4.0 as a starting point but reserves the right to make an individual assessment — particularly for business-logic vulnerabilities in payments, entitlements, and game/player trust boundaries, which often don't fit CVSS cleanly.
Rewards are discretionary and based on:
- Severity and impact
- Quality of the report
- Reproducibility
- Novelty of the finding
Duplicate Reports
Only the first valid, reproducible report of a given root cause is eligible for a reward. Subsequent reports of the same root cause are marked as duplicates and receive no reward or partial credit. Distinct root causes are treated as separate findings, even if they affect the same feature or endpoint.
Payouts
Rewards are denominated and paid in USD via PayPal or bank transfer. Payouts are issued after the vulnerability is confirmed fixed and the reward decision is finalized by Aghanim.
Disclosure Policy
Please do not publicly disclose vulnerabilities until:
- The issue has been resolved, and
- You have received permission from Aghanim
We are open to coordinated disclosure after remediation.
Contact us
For any security-related inquries, email bugbounty@aghanim.com.