Contact Us

VULNERABILITY DISCLOSURE POLICY

Vulnerability Disclosure Policy

 

Last Updated: 11/20/2025

 

Introduction

 

At GGWP Inc., our mission is to foster safe and inclusive gaming communities. We treat the security of our content moderation algorithms, our customers’ data, and the privacy of players with the utmost seriousness.

We recognize that the security community plays a vital role in building a safer internet. We value the contributions of security researchers, ethical hackers, and the gaming community who help us identify and address security issues. If you believe you have found a security vulnerability in our platform, API, or SDKs, we encourage you to let us know as soon as possible.

 

Safe Harbor (Legal Protection)

 

We consider security research and vulnerability disclosure to be “authorized” conduct under the Computer Fraud and Abuse Act (CFAA), the DMCA, and other applicable anti-hacking laws, provided you comply with this policy.

We pledge not to initiate or support legal action against you for accidental, good-faith violations of this policy.

However, this Safe Harbor does not extend to:

  • Ransom or Extortion: Demanding payment in exchange for withholding disclosure or fixing the vulnerability.
  • Fraud: Using a vulnerability to deceive our system, employees, or customers for financial gain.
  • Data Exfiltration: Intentionally accessing, downloading, or transferring more data than is strictly necessary to demonstrate a proof of concept.
  • Malicious Actions: Any activity intended to compromise the integrity or availability of our services (e.g., destroying data, persisting malware).

 

Scope

 

In-Scope Assets

 

We ask that you focus your testing on the assets owned and operated by GGWP Inc.:

  • Web Applications: dashboard.ggwp.com
  • API Endpoints: api.ggwp.com.
  • Client SDKs: Official GGWP Inc. SDKs for Unity, Unreal

 

Restricted Assets (Permission Required)

 

  • Moderation Models & AI: Testing for Model Inversion, Training Data Extraction, or adversarial attacks against our ML models is strictly prohibited without prior written consent.

 

Out-of-Scope Assets

 

  • Our Customers’ Games: You are strictly prohibited from testing, hacking, or disrupting the video games, servers, or infrastructure of the game studios that use our services. Testing should be done against our API interfaces, not the game client itself.
  • Third-party services hosted by non-GGWP Inc. providers (e.g., HubSpot, AWS infrastructure underlying the service without compromising the application layer).

 

Guidelines & Rules of Engagement

 

To remain within the Safe Harbor protections, you must:

  1. Do No Harm: Do not degrade the performance of our services (e.g., DoS/DDoS) or disrupt the moderation capabilities for our customers.
  2. Privacy First: Do not access, download, or modify data residing in an account that does not belong to you. If you encounter PII (Personally Identifiable Information), chat logs, or voice recordings belonging to others, stop immediately and report the vulnerability.
  3. Pivot Prohibition: Do not use a discovered vulnerability to pivot to internal systems or other customer environments.
  4. Confidentiality: Do not disclose the vulnerability to the public or third parties until we have had a reasonable amount of time to fix the issue (details in “Disclosure Policy” below).

 

Exclusions (Non-Qualifying Vulnerabilities)

 

The following issues are generally considered out of scope unless they demonstrate a significant security impact:

  • Social Engineering (phishing, vishing) of our employees or customers.
  • Physical security attacks against our offices.
  • UI/UX bugs or spelling errors.
  • Lack of rate limiting (unless it implies a severe threat to service availability).
  • Missing HTTP security headers (unless a specific impact is demonstrated).
  • Adversarial inputs to the AI that simply result in “incorrect” classifications (this is a quality issue, not a security vulnerability, unless it leads to code execution or data leakage).

How to Report a Vulnerability

 

Please send your report via email to security@ggwp.com.

Your report should include:

  1. Description: The location and nature of the vulnerability.
  2. Steps to Reproduce: A clear, step-by-step guide or a Proof of Concept (PoC) script.
  3. Impact: How the vulnerability could be exploited and what data/systems are at risk.

 

Our Commitment to You

 

When you share a vulnerability with us, we commit to:

  1. Acknowledge: We will acknowledge receipt of your report within 3 business days.
  2. Review: We will triage the report and confirm the validity of the vulnerability within 10 business days.
  3. Communication: We will keep you informed of our progress.

 

Target Remediation Timelines

 

We strive to fix issues based on their severity. We define our remediation goals as follows subject to commercially reasonable efforts:

 

SeverityDefinitionTarget Fix Timeline
CriticalCritical data leakage, remote code execution on production systems.3 Days
HighPrivilege escalation, significant data manipulation, lateral movement.7 Days
MediumLimited data leakage, actions requiring user interaction (XSS, CSRF).30 Days
LowMinor configuration issues, information disclosure with minimal impact.90 Days / Best Effort

 

 

Disclosure Policy

 

We embrace Coordinated Vulnerability Disclosure. You are authorized to publish your findings only after:

  • We have notified you that the vulnerability is fixed; OR
  • 90 days have passed since your initial report, and we have not requested an extension due to the complexity of the fix.

 

Exceptions to Standard Disclosure:

 

  • Accelerated Disclosure: If a vulnerability is actively being exploited in the wild (a “0-day”), we may agree to a shorter disclosure timeline to alert the community.
  • Extended Disclosure: If a vulnerability affects a complex ecosystem (e.g., a third-party dependency requiring an upstream fix from a vendor), we may ask for an extension beyond 90 days to ensure the broader ecosystem is patched before public release

 

Rewards & Recognition


We deeply appreciate the security researchers who help us keep the gaming ecosystem safe. However, it is important to clarify the nature of our program to set the right expectations.

 

No Monetary Rewards


This is currently a Vulnerability Disclosure Program (VDP), not a paid Bug Bounty program. We do not offer financial compensation or cash rewards for vulnerability submissions at this time. Please do not submit reports with the expectation of payment, or demand compensation as a condition for releasing the details of a vulnerability.

 

Our Gratitude


While we cannot offer cash bounties, we value your contribution and are happy to offer the following recognition for valid, high-impact reports:

  • Hall of Fame: With your permission, we will list your name and profile link on our Security Hall of Fame.
  • Professional Acknowledgement: We may provide a letter of recommendation or a LinkedIn endorsement confirming your contribution to our security posture.
  • Swag: In exceptional cases and at our sole discretion, we may send company swag as a token of our appreciation.