Security

Hypixel Studios Bug Bounty Program


Welcome to Hypixel Studios Bug Bounty program! The security and privacy of our users are extremely important to us, separate to our own internal teams working on keeping you and your data safe this program enables players and the security research community to help us quickly repair security problems by reporting vulnerabilities.

Please read this page in its entirety before submitting a report! If you have any questions or need further clarification you can reach out to our team at [email protected].

If we can validate that the reported issue qualifies for a bounty, we’ll triage it and keep you up to date about the progress towards resolution.

Program Rules

  • Reports MUST be sent to [email protected]
  • All data must be submitted with reproduction steps
  • You agree to disclose this report only to Hypixel Studios Limited
  • Testing must be done through your own accounts
  • Other accounts should not be accessed/used without owners consent
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
  • Only the first reporter of a bug/vulnerability is able to claim the bounty
  • Only persons 18+ may collect bounties on bugs/vulnerabilities.

How to structure your report

  • Your contact details
  • Description of the Issue - Describe the issue and the root cause of it. The intended audience is technical so describe the issue in enough detail.
  • Location - Where is the vulnerability located? e.g. * Path and the line of code * Endpoint * URL * Exposed port
  • Reproduction Steps - What are the necessary steps in order to reproduce the issue. These are important to ensure the issue is actually valid and to be able to validate fixes.
  • Inform us if you inadvertently encounter player data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Hypixel Studios

Exclusions

  • DOS Attacks
  • Brute forcing
  • Spam/Social engineering
  • Reports that do not pose any security risk
  • Account/Email enumeration
  • Email SPF, DKIM, and DMARC records
  • Self-exploitation

Scope

Tier 1

  • Machine Infrastructure Access
  • 1st Party Servers
  • login.hytale.com
  • PII access
  • Non Physical MITM

Tier 2

  • Marketplace/Organization management
  • Websites (Hytale.com/Hypixelstudios.com)
  • Grafana

Tier 3

  • Skins API
  • Login API
  • Accounts API
  • 3RD party integrations

Legal

We will not pursue civil action or initiate a complaint to law enforcement for violations of this policy that we, in our sole discretion, determine are accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy.

We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Hypixel Studios' bug bounty policy, Hypixel Studio will take steps to make it known that your actions were conducted in compliance with this policy.

Hypixel Studios Limited reserves the right to make the final call on any submissions validity.

Rewards & Payout

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Hypixel Studio Limited staff and their family members are not eligible for bounties.