Appearance

Bug Bounty Program

At iGV, security is at the core of everything we build. We believe that collaboration with the security research community is essential to maintaining a secure platform for our merchants, sellers, and buyers.

If you believe you've discovered a security vulnerability in any of our systems, we encourage you to report it to us — and we'll reward you for your effort.

Scope

In-Scope Targets

TargetDescription
*.igv.comPrimary web application and API endpoints
*.imetastore.ioCore platform services
Open API EndpointsAll endpoints documented in this developer portal

In-Scope Vulnerability Types

  • Authentication & Authorization flaws (e.g., privilege escalation, IDOR)
  • Injection vulnerabilities (SQL, NoSQL, Command Injection, etc.)
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Scripting (XSS) — stored, reflected, DOM-based
  • Cross-Site Request Forgery (CSRF)
  • Business Logic flaws leading to financial loss or data exposure
  • Sensitive Data Exposure of user or transaction information
  • API Abuse — rate limiting bypass, mass assignment, parameter pollution
  • Payment Manipulation vulnerabilities in order/transaction flows
  • Account Takeover via any vector

Out-of-Scope

The following are not eligible for rewards:

  • Vulnerabilities requiring physical access to a user's device
  • Social engineering or phishing attacks against iGV employees or users
  • Denial of Service (DoS/DDoS) attacks
  • Missing HTTP security headers (e.g., CSP, HSTS) without demonstrable exploit
  • Clickjacking on pages with no sensitive actions
  • Self-XSS (where the attacker can only target themselves)
  • Vulnerabilities in third-party services not under iGV's control
  • Scanner-generated reports without proof of concept
  • Theoretical vulnerabilities without a working exploit

Reward Tiers

Rewards range from $20 to $3,000, determined at our discretion based on the severity and impact of the vulnerability.

Note: Reward amounts are at iGV's sole discretion based on the actual impact and quality of the report. Exceptional reports may receive higher rewards.

Rules of Engagement

  1. Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability. Use test accounts whenever possible.

  2. Stop testing immediately if you gain access to any non-public data or sensitive systems, and report it to us right away.

  3. Do not disrupt our services or degrade the user experience for other users.

  4. Do not publicly disclose the vulnerability before it has been resolved. We aim to resolve critical issues within 7 days and other issues within 30 days.

  5. First reporter wins. If multiple researchers report the same vulnerability, the reward goes to the first valid report.

How to Report

Send your report to: [email protected]

Your report should include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected endpoint(s) / URL(s)
  • Your name and contact information (for reward processing)
  • Any supporting materials (screenshots, videos, proof-of-concept code)

Safe Harbor

We will not pursue legal action against researchers who:

  • Act in good faith and follow our rules of engagement
  • Do not cause harm to iGV, our users, or our systems
  • Report vulnerabilities promptly and privately
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate them

We consider vulnerability research conducted under this program to be authorized under applicable anti-hacking laws such as the Computer Fraud and Abuse Act (CFAA).

Frequently Asked Questions

Q: I found a vulnerability, but I'm not sure if it's in scope. Should I report it? A: Yes! When in doubt, report it. We'd rather review a borderline report than miss a real vulnerability.

Q: How long does it take to triage a report? A: We typically acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

Q: Can I use automated scanners? A: We ask that you limit automated scanning to a reasonable rate. Reports that are purely scanner output without manual verification will not be accepted.

Q: Do you offer bounties for vulnerabilities in third-party integrations? A: We may offer rewards at our discretion, but we encourage you to also report directly to the third-party vendor.

All game copyrights, trademarks, and service marks belong to their respective owners.

© 2006-2026 iGVault Limited