Bug Bounty Program Guidelines

Hello Hackers,

We’re excited to collaborate with the security community to help protect our website and our users. Your contributions are invaluable in keeping Instant Gaming a safe and trusted platform. If you believe you’ve found a security issue in our products or services, we encourage you to responsibly disclose it to us. We’re committed to working with you to investigate and resolve the issue quickly and transparently.

Disclosure Policy

When reporting a vulnerability, please:
Report promptly Let us know as soon as possible after discovering a potential security issue.
Give us time Allow a reasonable amount of time for us to resolve the issue before making any public disclosure. We will try to aknowledge your report within 72 hours and update you on the progress.
Act in good faith Avoid actions that could harm users or the platform, including privacy violations, destruction of data, exfiltration of information, or disruption of services. Only test against accounts you own or accounts with explicit permission.
We value responsible security research and will treat every report with respect and seriousness.

Scope

Our Bug Bounty program is limited to the following public scopes:
  • Instant-Gaming.com and every subdomain publicly discoverable
  • Public APIs
  • Instant Gaming & Instant Gaming News mobile applications (iOS and Android)

Out of Scope / Exclusions

To keep testing safe and productive, please refrain from the following:
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Spamming, brute force attacks, or other automated abuse
  • Social engineering (including phishing) of Instant Gaming staff, contractors, or users
  • Any physical attempts to access Instant Gaming offices, employees, or data centers

How to report a vulnerability

Please use the following contact page to report a vulnerability: https://www.instant-gaming.com/en/support/. Make sure to include the following information:
  • Title / short summary
  • Affected scope (domain, url, application)
  • Perceived severity
  • Reproduction steps (numbered)
  • Minimal PoC (screenshots, video, curl commands)
  • Potential impact and suggested mitigation
Important: Submit each vulnerability only once per researcher. Duplicate submissions will not be counted. If you discover another vulnerability, please submit a separate form for it.

Safe Harbor

We want you to feel safe when conducting research and reporting vulnerabilities. When working within the rules of this program:
  • We will not pursue legal action against you.
  • We consider your testing to be authorized access under applicable laws.
  • We will not suspend or terminate your account for good-faith research.
  • If a third party initiates legal action, we will make it clear that your actions were conducted in compliance with this program.
Your good-faith security research helps us keep our users safe, and we fully support it.

Bounty Rewards

We believe in rewarding impactful research. Bounties are awarded based on severity (following the CVSS rating system and our internal risk assessment) and follow standard ranges. The exact bounty awarded will depend on the impact, scope, and quality of your report. Duplicate submissions may receive partial or no reward.

A Final Word

Thank you for helping us protect Instant Gaming and our community. Your work makes a real difference, and we look forward to collaborating with you. Stay safe, hack responsibly, and happy hunting!