Bug Bounty Program
Earn rewards for responsibly disclosing security vulnerabilities in our systems. Help keep DeceptionDMA secure for everyone.
Bug Bounty Program
Launched 5 March 2026DeceptionDMA values the security research community and invites ethical hackers to identify and report vulnerabilities in our digital assets. Eligible reports may qualify for monetary rewards, paid at our discretion based on severity, impact, exploitability, and report quality.
1. Program Overview & Safe Harbor
We commit to a safe harbor: If you follow this policy in good faith (no malicious intent, no harm to users/data, stay within scope), we will not pursue legal action against you for your research and disclosure activities.
Rewards are discretionary — we do not guarantee payments, but aim to recognize valuable contributions fairly.
2. In Scope
- deception.gg and all subdomains (*.deception.gg)
- Web applications, customer dashboard, shop, authentication flows
- Public APIs and license delivery endpoints
- Firmware/hardware update check mechanisms (web-facing only)
3. Out of Scope / Not Eligible
- Physical attacks on DMA hardware or firmware extraction
- Cheat development, anti-cheat bypass attempts, or game-related exploits
- Denial of service (DoS/DDoS), spam, brute-force attacks
- Social engineering, phishing, or insider threats
- Third-party services (Discord, Stripe/PayPal,SellAuth, cloud providers)
- Automated scanning that causes excessive traffic
- Previously known/public issues or low-impact findings (e.g., missing headers without exploit path)
- Testing on production that risks real user data/accounts
4. Rewards & Severity Guidelines
Rewards are in USD (or equivalent), paid via PayPal/Bank transfer after validation. Amounts are approximate and at our sole discretion.
| Severity | Description / Examples | Reward Range (USD) |
|---|---|---|
| Critical | Remote code execution, full account takeover, server-side data breach, critical auth bypass | $2,000 – $5,000+ |
| High | Significant privilege escalation, sensitive data exposure (e.g., keys/emails), SSRF to internal systems | $800 – $2,000 |
| Medium | IDOR leaking non-sensitive data, stored/reflected XSS with impact, CSRF on high-value actions | $200 – $800 |
| Low | Self-XSS, low-impact misconfigs, rate-limit bypass without abuse potential | $50 – $200 (or swag/credit) |
| Informational | Best practices, no direct impact | $0 (credit possible) |
Higher rewards for excellent reports (clear PoC, impact explanation, suggested fix). We may offer non-monetary perks (free hardware, lifetime keys, Discord recognition) for top findings.
5. How to Report
Email your report to: vulnerability@deception.gg
We support and encourage PGP-encrypted submissions for sensitive reports — see section below for our public key.
Required Report Details
- Vulnerability type & CVSS estimate (optional)
- Step-by-step reproduction (screenshots/video/PoC code)
- Affected URLs/endpoints
- Impact & potential exploit scenario
- Your suggested mitigation
- Contact info (anonymous OK)
6. Rules & Expectations
- Act ethically — only prove the issue, no data exfiltration/modification
- No public disclosure until we fix and allow (90-day max timeline typical)
- Stop testing if requested
- We respond within 3 business days, provide updates regularly
- Credit/hall-of-fame for reporters (unless anonymous)
7. PGP Encryption (Recommended for Sensitive Reports)
For reports containing proof-of-concept code, exploit details, or other sensitive information, encrypt your email with our PGP public key.
Current public key (fingerprint: replace-with-your-real-fingerprint-here):
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF...your full armored public key goes here...
(this is a placeholder — replace the entire block with your actual key)
... (very long base64 content continues) ...
-----END PGP PUBLIC KEY BLOCK-----
Fingerprint: ABCD EFGH IJKL MNOP QRST UVWX YZ12 3456 789A BCDE (replace with yours)
Email: vulnerability@deception.gg
8. security.txt (for /.well-known/security.txt)
We follow the security.txt standard. You should place the following content at https://deception.gg/.well-known/security.txt:
Contact: mailto:vulnerability@deception.gg
Expires: 2027-03-05T00:00:00Z
Preferred-Languages: en
Canonical: https://deception.gg/.well-known/security.txt
Policy: https://deception.gg/vulnerability.html
Hiring: https://deception.gg/about.html # optional
9. Sample Report Email Template
A clear, high-quality report usually looks like this:
Subject: Bug Bounty Report - Critical - Unauthenticated RCE in /api/update
Hi DeceptionDMA Security Team,
Vulnerability Type: Remote Code Execution
Severity: Critical (CVSS ~9.8)
Affected Endpoint: https://deception.gg/api/firmware/update
Steps to Reproduce:
1. Send POST request to /api/firmware/update with crafted payload...
2. ...
Impact:
An attacker could execute arbitrary code on the update server, potentially leading to...
PoC: [attached encrypted zip or inline safe PoC code]
Suggested Fix: Validate firmware signature server-side + ...
Thanks,
[Your name / handle / anonymous]
10. Changes & Questions
We may update this program (scope, rewards, etc.) over time. Check back for the latest version. Questions about scope or policy? Email us first — we're happy to clarify before you start testing.