Bug Bounty
Football.Fun (FDF) Bug Bounty Program
🎯 Purpose
To encourage responsible disclosure of security vulnerabilities that could impact the integrity, confidentiality, or availability of FDF’s services.
🪙 Eligibility Criteria
To qualify for a bounty:
You must be the first to report a specific vulnerability.
The vulnerability must be previously unknown and not publicly disclosed.
You must follow responsible disclosure guidelines (see below).
You must not exploit the vulnerability beyond what's necessary to demonstrate the issue.
💵 Bounty Rewards (in USD or equivalent crypto)
Severity | Reward Range |
|---|---|
Critical | $50,000+ |
High | $2,500 – $50,000 |
Medium | $500 – $2,500 |
Low | $100 – $500 |
✅ Responsible Disclosure Process
Report the vulnerability to FDF (via email to security@football.fun).
FDF acknowledges receipt within 72 hours.
FDF and the researcher collaborate to validate the issue.
FDF fixes the issue and optionally credits the researcher (with consent).
Bounty is paid out within 30 days of validation (subject to KYC/AML checks).
If the researcher agrees not to publicly disclose the vulnerability for a minimum of 90 days (or until FDF resolves it, whichever is sooner), a +25% bonus will be added to the bounty amount.
❌ Out of Scope
Social engineering (e.g., phishing employees)
DDoS attacks
Physical security issues
Vulnerabilities in third-party services not under FDF’s control
Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.
Attacks requiring disabling Man In The Middle (MITM) protections.
Attacks only affecting obsolete browsers or operating systems.
Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.
Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.
Open redirects, unless a significant impact can be demonstrated.
Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.
Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.
Issues that require unlikely user interaction by the victim.
Perceived security weaknesses without evidence of the ability to demonstrate impact
Other exclusions
Any activity carried out on a FDFs website, domain or app is strictly prohibited and will not be considered as part of this program.
Any activity that could lead to the disruption of our service (DoS, DDoS) or any volumetric based exploit.
Social engineering of customers or end users is prohibited under any circumstance.
Social engineering of FDFs employees or contractors, unless explicitly authorized.
Attacks against our physical facilities, unless explicitly authorized.
📜 Legal Safe Harbor
FDF will not initiate legal action against researchers who:
Follow this policy in good faith
Avoid privacy violations, data destruction, or service disruption
Do not profit from or share exploit information