About
Pixels recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page as of March 2024.
Reporting Process
User must contact the team via our Support Center:
Navigate to the Pixels Dashboard. Users must be logged into a Pixels account.
Open a chat via the icon on the bottom right of the screen.
Click on ‘Bug or Exploit Reports’ and follow the conversation flow.
This system will notify a team member immediately.
To be eligible for the Pixels Bounty Program, the user must:
Be able to provide steps to reproduce
Be the first user to bring it our attention
Bring the issue to our attention without abusing it
Report the issue to Pixels before we are aware of the issue
Policy
At Pixels, the security of our users is our top priority. As such, we strive to provide the most secure platform possible. We will evaluate reported security issues based on the security impact to our users and the Pixels ecosystem.
This bounty brief describes the rules of the Pixels bug bounty program, as well as the eligibility of vulnerabilities and the rewards.
Please follow the Pixels Disclosure Guidelines.
Do not share the reports to any blog, social network, etc. if not approved by Pixels
Respect the privacy of our users and please confine your testing to your own team during the bug investigation process.
While researching, we'd like to ask you to refrain from:
Doing automated testing, denial of service
Spamming, spoofing, phishing
Social engineering (including phishing) of Pixels staff or contractors
Performing any physical attempts against Pixels property or data centers
Performing further attacks once you have proof of Remote Control Execution (RCE) attacks, this includes but not limited to Privilege Escalation, Internal Network scan, etc. Proceed to do so may have your bounties forfeited.
Bulk downloading/extracting/crawling of exposed data beyond the need for proof-of-concept
Rewards/Ratings
Rewards will be paid out in RON or $PIXEL
Unless there is a good reason (i.e. additional information provided on the bug previously rewarded), we will only reward the first person who reported the bug to us.
Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards. Determination of whether a reported issue sufficiently meets the bar for monetary rewards is done at Pixels’s discretion.
Pixels is eager to work with the community to make sure that every researcher's finding is rewarded fairly - based on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $100,000.
Bounty Table:
Severity | Examples | Typical Bounty Range |
Informational | Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force | $0 |
Low | Misconfigurations, Session Management Vulnerabilities, Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, account privacy issues (highly variable) | $150-$500 |
Medium | Reflected/DOM-based XSS, cache poisoning, SSRF, API Security Issues | $500-$1,000 |
High | Privilege escalation, full authentication bypass | $750-$3,000 |
Critical | Blockchain vulnerability, SQL injection, Remote code execution | $5,000+** |
**Bounty will vary widely based on severity and impact.
Assets in Scope
Smart Contract
$PIXEL contract
Farm Land Contract
Pet Contract
Web/App
Target | Type |
Web | |
Web |
Ineligible issues (Will be closed as out of scope):
Theoretical vulnerabilities without actual proof of concept
Gameplay bugs that do not impact game economics (E.g. walking through walls)
Email verification deficiencies, expiration of password reset links, and password complexity policies
Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI redressing with minimal security impact
Email or mobile enumeration (E.g. the ability to identify emails via password reset, we implemented rate limit for this issue)
Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
Internally known issues, duplicate issues, or issues which have already been made public
Tab-nabbing
Self-XSS
Vulnerabilities only exploitable on out-of-date browsers or platforms
Use of known vulnerable libraries without actual proof of concept
Issues related to unsafe SSL/TLS cipher suites or protocol version
Content spoofing (*)
Cache-control related issues
Exposure of internal IP address or domains
Missing security headers that do not lead to direct exploitation
CSRF with negligible security impact (E.g. adding to favorites, adding to cart, subscribing to a non critical feature)
Vulnerabilities that require root/jailbreak
Vulnerabilities that require physical access to a user's device
Issues that have no security impact (E.g. Failure to load a web page)
Assets that do not belong to Pixels
Any activity (like DoS/DDoS) that disrupts our services
Installation Path Permissions
Reports from automated tools or scans
Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official Pixels social media account linked to on every page, not just specific past announcements/blog posts)
Third-party software (except in cases where there is an exploitable vulnerability due to misconfiguration or patch level)
URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability e.g. ATO)
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis (This will be done at Pixels’ discretion)
Response Targets
We will do our best to ensure that we meet the following response targets for security professionals participating in our program:
Time to first response (from report submission date) - 5 business days
Time to triage (from report submission date) - 10 business days
Time to bounty (from triage) - 20 business days
Time to resolution - we shall keep you posted as we work to resolve the bugs.
Sometimes, it may take longer to review the vulnerability reports due to the multiple teams we are working with. We will endeavor to complete the review of your vulnerability report and determine whether to triage it within at most 25 business days from the date of reporting.