Security Policy

Last updated Thursday, January 9, 2025

The Submission Process

If you believe you have found a security vulnerability on one or more of our services, please report them to support@construct.net. The report should include as much of the following as possible:

• Sufficient details of the vulnerability to allow it to be understood and reproduced
• HTTP requests and responses, HTML snippets, screenshots or any other supporting evidence
• Proof of concept code
• The impact of the vulnerability
• Any references or further reading that may be appropriate

We will review any reports promptly, but you may not receive a response for a few days whilst we investigate and take necessary action.

Unpermitted Activities

You are strictly prohibited from using automated tools or vulnerability scanners. These can be aggressive and degrade site performance.

You must not test for vulnerabilities or demonstrate proof of vulnerabilities on live customer accounts. Demonstrations of the vulnerabilities must be executed on a test account that you create.

Do not break any laws, or put and customer or Scirra data at risk.

If we discover you are breaking any of these rules we will not pay out any bounties.

Rewards

In the past, we've paid out bounties in the ranges of $25 USD to $500 USD. To qualify for a bounty payment:

• We must be unaware of the reported vulnerability
• The reported vulnerability must be at least moderately severe as judged by us.
• The attack vector is realistic
• You must provide us a full invoice with your name and address present on it
• You must be able to accept payment by PayPal. We do not make payouts any other way.
• You must reside in a country where there are no trade embargo's with the United Kingdom or United States of America