The Bridge Champ team recognizes the value external experts can bring to the usability, stability and security of Bridge Champ, and we welcome and seek to reward eligible contributions from researchers, as outlined below.
If you believe you have found a bug or a security vulnerability on Bridge Champ, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy, reward guidelines, and scope of the program.
¶ Responsible Research and Disclosure Policy
For you to participate in the program, we require that:
- You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit consent in writing, which you must produce upon request.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- You do not exploit a bug or a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, a test account, or another account for which you have the explicit written consent of the account owner to test.
- You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.
- Not be employed by or a contractor/vendor of Bridge Champ or its subsidiaries or affiliates, or be an immediate family member of a person employed by Bridge Champ or its subsidiaries or affiliates (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals).
- Not be less than 18 years of age.
We recognize and reward researchers who help us improve our products and services. Monetary bounties for such reports are entirely at our discretion, based on risk, impact, number of vulnerable users, and other factors.
To be considered for a bounty, you must meet the following requirements:
- Report a bug: that is, identify a problem in our services or infrastructure which creates a usability, stability, security or privacy risk. (Note that we ultimately determine the impact of an issue, and that reports may not be classified as a bug or security issue.)
- Report the bug upon discovery or as soon as it is feasible.
- Submit your report via the in-game feedback form or by mailing your bug report to firstname.lastname@example.org.
In turn, we will follow these guidelines when evaluating reports under our bug bounty program:
- We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on impact and other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is 1000 IGNIS. Note that extremely low prioirity issues may not qualify for a bounty at all. Even if the issue you identify is low priority in isolation, if your report leads us to discover higher prioirty problems, we may, at our sole discretion, pay an increased award.
- We will generally pay lower reward amounts for problems which are only reproducible using outdated web browser or mobile device versions or unsupported configurations, but we will still consider such reports.
- We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Our team determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.) A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a problem still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.
- We reserve the right to publish reports (and accompanying updates).
- We may publish a list of researchers who have submitted valid bug reports. You must receive a bounty to be eligible for this list. We reserve the right to limit or modify the information accompanying your name in the list. If you do not want to appear in such a list please let us know in advance.
- We may retain any communications about issues you report as long as we deem necessary for the program purposes, and we may cancel or modify this program at any time.
Reward payments are denominated in IGNIS. IGNIS is a cryptocurrency maintained by our parent company Jelurida, you can learn more about it here https://www.jelurida.com/ignis. Payments are submitted directly to an Ardor blockchain account associated with your bridge champ username. Therefore, the only information we need from you in order to submit a reward payment is your bridge champ username. Rewards are currently limited to in-game use, however in the future we intend to make these rewards fungible.
We classify reports into the following severity classes
- Minor problem. Reward 1000 IGNIS.
- Isolated problem in a single module, problems related to UI, visibility, alignment, minor bot mistakes. Reward 2000 IGNIS.
- Incorrect information, logic error, incorrect score calculation, confusing data, incomplete process, bad bid or play by bots. Reward 5000 IGNIS.
- A major problem, a session crash, bot getting stuck, major performance issue, security vulnerability. Reward 10000 IGNIS
- Critical problem or security vulnerability. Reward 20000 IGNIS
When reporting a problem related to bot behaviour, always use the feedback form to submit your report, it is not necessary to include a screen capture.
Before submitting a report, please make sure to study the bot convention card, we will ignore reports where the user has deviated significantly from the convention.
We may ignore reports related to border line cases involving a difference in 1 hcp or when there are several lines of legitimate play in our opinion, or when a convention that the bot was supposed to follow is clearly marked as unsupported in the convention card.
We will consider cases like pass over partner's artificial bid or a gross mistake by the bot that causes a significantly lower score compared to the par score as class 4 problem, otherwise, inaccurate bid or play will be classified as class 2 or 3 depending on the impact, and based on our sole discretion.