--
We at CertGames take the security of our services and products very seriously. We appreciate the efforts of security researchers and the community in helping us maintain a secure environment for our users. We are committed to working with you to address and resolve any vulnerabilities responsibly and promptly.
If you believe you have found a security vulnerability in any of our projects or services, please report it to us as soon as possible.
Please DO NOT open a public GitHub issue. Publicly disclosing a vulnerability can put our users and systems at risk.
Please send a detailed report to our dedicated security email address:
To help us quickly understand, reproduce, and resolve the issue, please include as much detail as possible in your report:
- Vulnerability Description: A clear and concise description of the vulnerability.
- Steps to Reproduce: Detailed steps to reliably reproduce the vulnerability. This is crucial for us to confirm the issue.
- Affected Components: Specify which part of the system is affected (e.g.,
backend/api/,frontend/admin-app, specific endpoints, features). - Impact: Describe the potential impact of the vulnerability (e.g., data breach, unauthorized access, service disruption).
- Proof of Concept (PoC): If possible, provide a proof-of-concept code, screenshots, or videos. For web vulnerabilities, include request/response headers.
- Tools Used: Mention any tools or techniques used to discover the vulnerability.
- Your Contact Information (Optional): If you wish to be credited, please provide a name or handle.
By submitting a vulnerability report, you agree to the following responsible disclosure guidelines:
- Confidentiality: You will keep details of the vulnerability confidential between you and CertGames / AngelaMoss until we have publicly announced that the issue has been resolved.
- Non-Exploitation: You will not exploit the vulnerability beyond what is necessary to prove its existence. This includes avoiding access to, modification of, or destruction of user data.
- No Public Disclosure: You will not disclose the vulnerability publicly (e.g., on social media, blogs, or public repositories) before receiving explicit written consent from CertGames / AngelaMoss.
- Good Faith: You will conduct your research in good faith, without causing harm to CertGames / AngelaMoss, our users, or our services.
When you report a security vulnerability to us, we commit to:
- Prompt Acknowledgment: We will acknowledge receipt of your report within 2 business days.
- Investigation: We will investigate your report promptly and thoroughly.
- Communication: We will keep you informed of our progress throughout the vulnerability resolution process.
- Resolution: We will work to fix legitimate vulnerabilities as quickly as possible.
- Credit: If you are the first to report a previously unknown vulnerability and follow our responsible disclosure guidelines, we will gladly acknowledge your contribution publicly in our changelog or a dedicated security advisory, with your permission.
The following activities are considered out of scope and are not eligible for rewards or public recognition:
- Social engineering of CertGames / AngelaMoss employees or contractors.
- Physical attacks against CertGames / AngelaMoss offices or data centers.
- Denial of Service (DoS/DDoS) attacks.
- Spamming or phishing attempts.
- Vulnerabilities in third-party applications or services not directly controlled by CertGames / AngelaMoss (unless they directly impact our service).
- Misconfigurations in services that are publicly documented to be open (e.g., open ports unless a specific vulnerability is found on the service running on that port).
- Issues reported by automated tools without a clear proof-of-concept that demonstrates exploitability.
- Missing security best practices that do not directly lead to a vulnerability (e.g., missing HTTP security headers that don't directly enable an attack).
We extend our gratitude to all security researchers and individuals who help us improve the security of CertGames. Your efforts are invaluable.