JoinLogin

Bug Disclosure Program

Bug Disclosure Program

We operate in a high-trust environment where financial integrity, player privacy, and system reliability are non-negotiable. If you're a security researcher and you've discovered a potential issue in our platform, we want to hear from you.

We recognize the value of external security contributions, and we reward those who help us strengthen our systems. This program is designed to acknowledge vulnerability research, and to ensure that any reported issue is addressed quickly, responsibly, and fairly.

What We're Looking For

We're primarily interested in vulnerabilities that present clear and demonstrable risk to our platform or players. These include (but are not limited to) the following:

  • Remote code execution or server-side command injection
  • Unauthorized access to internal systems or sensitive data
  • Bypass of authentication, authorization, or session boundaries
  • Exploits that result in financial gain, manipulation of game outcomes, or abuse of bonus mechanics
  • Any vulnerability that enables impersonation or account takeover

Reports that include clear exploit paths, detailed technical write-ups, and real-world consequences are eligible for more significant rewards.

What's Not in Scope

We aim to keep the program focused. As such, we generally do not accept reports on:

  • Absence of HttpOnly, Secure, or SameSite flags
  • Missing Content Security Policy (CSP) or other headers
  • Use of deprecated TLS versions or cipher suites
  • Disclosure of version numbers (Apache, PHP, etc.)
  • Self-XSS without a realistic exploit chain
  • Lack of DMARC/SPF/DKIM
  • Password complexity policies
  • Vulnerabilities in outdated WordPress plugins without proven exploitability
  • Login error message variations or user enumeration

Unless these issues are part of a larger, demonstrably exploitable chain, they are not considered reward-eligible.

Guidelines for Participation

To protect our platform and our users, please observe the following:

  • Do not test against our systems in ways that could disrupt service
  • Do not attempt social engineering, phishing, or physical intrusion
  • Do not access or modify data that belongs to other users
  • Do not use automated tools, scanners, or brute-force scripts
  • Do not disclose findings publicly until we confirm resolution

This program is open to external researchers only. Employees, contractors, affiliates, and partners of Lucky Rebel are not eligible for rewards.

Submitting a Report

To report a vulnerability, please email security@luckyrebel.la with:

  • Your contact information
  • A brief, descriptive title of the issue
  • Affected system or domain
  • Step-by-step technical breakdown
  • Your risk assessment (Low / Medium / High / Critical)
  • Proof of concept (screenshots, payloads, logs, videos)

We aim to acknowledge valid submissions within 2 business days and provide updates throughout the triage and resolution process.

We deeply appreciate the time, effort, and expertise that security researchers invest in making platforms like ours safer. Thank you for your responsible disclosure and collaboration, we look forward to working with you.

Sports
Slots
Promotions
Help
Account