Skip to main content
Bounty Program
Updated over a week ago

About

Pixels recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page as of March 2024.

Reporting Process

User must contact the team via our Support Center:

  1. Navigate to the Pixels Dashboard. Users must be logged into a Pixels account.

  2. Open a chat via the icon on the bottom right of the screen.

  3. Click on ‘Bug or Exploit Reports’ and follow the conversation flow.

This system will notify a team member immediately.

To be eligible for the Pixels Bounty Program, the user must:

  1. Be able to provide steps to reproduce

  2. Be the first user to bring it our attention

  3. Bring the issue to our attention without abusing it

  4. Report the issue to Pixels before we are aware of the issue

Policy

At Pixels, the security of our users is our top priority. As such, we strive to provide the most secure platform possible. We will evaluate reported security issues based on the security impact to our users and the Pixels ecosystem.

This bounty brief describes the rules of the Pixels bug bounty program, as well as the eligibility of vulnerabilities and the rewards.

Please follow the Pixels Disclosure Guidelines.

  • Do not share the reports to any blog, social network, etc. if not approved by Pixels

Respect the privacy of our users and please confine your testing to your own team during the bug investigation process.

  • While researching, we'd like to ask you to refrain from:

    • Doing automated testing, denial of service

    • Spamming, spoofing, phishing

    • Social engineering (including phishing) of Pixels staff or contractors

    • Performing any physical attempts against Pixels property or data centers

    • Performing further attacks once you have proof of Remote Control Execution (RCE) attacks, this includes but not limited to Privilege Escalation, Internal Network scan, etc. Proceed to do so may have your bounties forfeited.

    • Bulk downloading/extracting/crawling of exposed data beyond the need for proof-of-concept

Rewards/Ratings

Rewards will be paid out in RON or $PIXEL

Unless there is a good reason (i.e. additional information provided on the bug previously rewarded), we will only reward the first person who reported the bug to us.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards. Determination of whether a reported issue sufficiently meets the bar for monetary rewards is done at Pixels’s discretion.

Pixels is eager to work with the community to make sure that every researcher's finding is rewarded fairly - based on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $100,000.

Bounty Table:

Severity

Examples

Typical Bounty Range

Informational

Text injection, non-impactful CSRF, non-sensitive Information Disclosure, Brute Force

$0

Low

Misconfigurations, Session Management Vulnerabilities, Open Redirects, CSRF, XSS with low impact, domain takeover of unused domain, account privacy issues (highly variable)

$150-$500

Medium

Reflected/DOM-based XSS, cache poisoning, SSRF, API Security Issues

$500-$1,000

High

Privilege escalation, full authentication bypass

$750-$3,000

Critical

Blockchain vulnerability, SQL injection, Remote code execution

$5,000+**

**Bounty will vary widely based on severity and impact.

Assets in Scope

Smart Contract

$PIXEL contract

Farm Land Contract

Pet Contract

Web/App

Ineligible issues (Will be closed as out of scope):

  • Theoretical vulnerabilities without actual proof of concept

  • Gameplay bugs that do not impact game economics (E.g. walking through walls)

  • Email verification deficiencies, expiration of password reset links, and password complexity policies

  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

  • Clickjacking/UI redressing with minimal security impact

  • Email or mobile enumeration (E.g. the ability to identify emails via password reset, we implemented rate limit for this issue)

  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)

  • Internally known issues, duplicate issues, or issues which have already been made public

  • Tab-nabbing

  • Self-XSS

  • Vulnerabilities only exploitable on out-of-date browsers or platforms

  • Use of known vulnerable libraries without actual proof of concept

  • Issues related to unsafe SSL/TLS cipher suites or protocol version

  • Content spoofing (*)

  • Cache-control related issues

  • Exposure of internal IP address or domains

  • Missing security headers that do not lead to direct exploitation

  • CSRF with negligible security impact (E.g. adding to favorites, adding to cart, subscribing to a non critical feature)

  • Vulnerabilities that require root/jailbreak

  • Vulnerabilities that require physical access to a user's device

  • Issues that have no security impact (E.g. Failure to load a web page)

  • Assets that do not belong to Pixels

  • Any activity (like DoS/DDoS) that disrupts our services

  • Installation Path Permissions

  • Reports from automated tools or scans

  • Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official Pixels social media account linked to on every page, not just specific past announcements/blog posts)

  • Third-party software (except in cases where there is an exploitable vulnerability due to misconfiguration or patch level)

  • URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability e.g. ATO)

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis (This will be done at Pixels’ discretion)

Response Targets

We will do our best to ensure that we meet the following response targets for security professionals participating in our program:

  • Time to first response (from report submission date) - 5 business days

  • Time to triage (from report submission date) - 10 business days

  • Time to bounty (from triage) - 20 business days

  • Time to resolution - we shall keep you posted as we work to resolve the bugs.

Sometimes, it may take longer to review the vulnerability reports due to the multiple teams we are working with. We will endeavor to complete the review of your vulnerability report and determine whether to triage it within at most 25 business days from the date of reporting.

Did this answer your question?