Bug Bounty program

1) Introduction

ApeFirst is committed to keeping our casino and prediction-market platform safe for everyone. We invite security researchers to responsibly disclose vulnerabilities so we can remediate them quickly and reward you for helping protect our community.

This document sets out scope, rules, rewards, and our process. By submitting a report, you agree to these terms.

2) Scope

In-scope assets

• Web: apefirst.com and all first-party subdomains (e.g., app, api, blog, docs, auth).
• APIs & Services: Public and authenticated REST/WebSocket APIs, backend services we operate.
• Smart Contracts (if/when applicable): Any ApeFirst-owned on-chain contracts listed in our official docs/repo.
• Operational Security: Misconfigurations or flaws in our cloud/infrastructure that directly affect the above.

Out-of-scope

• Physical security, office networks, or employee devices.
• Social engineering, phishing, vishing, or credential stuffing against staff or users.
• Denial-of-Service (DoS/DDoS), volumetric or resource-exhaustion attacks.
• Third-party platforms/services not operated by ApeFirst (payment processors, CDNs, wallets, etc.).
• "Best-practice" recommendations without a security impact, clickjacking on non-sensitive pages, missing security headers with no exploit, SPF/DKIM/DMARC alignment suggestions, rate-limit "could be higher."
• Self-XSS, open redirects without practical impact, mixed-content on non-sensitive pages.
• Vulnerabilities that require a rooted/jail-broken device or a malicious mobile OS.
• Reports without a proof-of-concept (PoC) or that require unrealistic user interaction.

If unsure whether something is in scope, ask us before testing.

3) Rewards & Severity

We pay bounties for unique, previously unknown vulnerabilities that result in a code or configuration change. Rewards are paid in USDT. Severity follows CVSS v3.1 plus business impact.

Notes

• Final bounty amounts are at our discretion based on exploitability, affected users, reproducibility, and quality of report. Exceptional findings may exceed ranges.
• Duplicate reports are not eligible (first valid report wins).
• Public disclosure prior to our coordinated release voids eligibility.

4) Research Rules

We support good-faith security research and won't pursue legal action when these rules are followed:

Do

• Use your own accounts and test data. Keep traffic within reasonable limits.
• Stop immediately once you confirm a vulnerability and share only the minimal data needed to demonstrate impact.
• Report new issues only, privately and directly to us.

Don't

• Access, modify, or exfiltrate data you don't own (beyond minimal, redacted proof).
• Affect service availability or performance (no DoS, brute force, or spam).
• Interact with other users' accounts, balances, or wagers.
• Demand payment or set conditions ("ransomware-style") for disclosure.

If you follow the rules, we will:

• Not initiate legal action for your good-faith research.
• Advocate on your behalf if a third party raises concerns about good-faith actions.

5) Submission Quality & What to Include

Send one vulnerability per report and include:

• Title and severity estimate.
• A clear impact statement (what can an attacker achieve?).
• Step-by-step reproduction with URLs, affected endpoints/versions, request/response samples.
• Working PoC (scripts, videos, screenshots). Avoid public pastebins; attach files directly.
• Any mitigations or fix suggestions.

Reports without a clear impact or reproducible steps may be closed as "informational."

6) Process & SLAs

• Acknowledge: We aim to triage Critical/High/Medium within 7 business days, Low/Informational within 30 days.
• Validate & Assign Severity: We may request more info or a live session.
• Fix: We target rapid remediation for Critical/High and will share timelines when known.
• Reward: Paid within 10 business days after fix/mitigation or a mutually agreed remediation plan.
• Disclosure: Coordinated disclosure. Please do not publish details for 90 days or until we confirm remediation—whichever comes first.

7) Payout Terms

• Paid in USDT (ERC-20 or TRC-20) to the wallet you provide.
• We may require basic KYC for compliance (AML/CTF/tax) and to prevent abuse.
• You are responsible for any taxes in your jurisdiction.
• Employees/contractors of ApeFirst, providers with privileged access, or anyone testing with non-public code are ineligible.

8) Examples of Eligible Findings (non-exhaustive)

• Authentication/authorization bypass, privilege escalation, account takeover.
• Server-side injection (SQLi, SSRF with data access, deserialization, template injection).
• Business-logic flaws enabling fraudulent bets, unauthorized credit creation, or market manipulation.
• Insecure direct object references (IDOR) exposing PII, balances, bets, or KYC docs.
• On-chain logic flaws that can drain funds or lock markets permanently.
• Sensitive data exposure from misconfigured cloud storage, message queues, or CI/CD secrets.

9) Program Administration

• How to report: Email [email protected] with the subject: BUG BOUNTY: <short title>.
• Encryption: If needed, request our PGP key in your email and we'll reply with instructions.
• Hall of Fame: With your consent, we'll list validated researchers on our Security page.

10) Legal & Changes

• Follow all applicable laws where you operate. Don't test from jurisdictions where this activity is prohibited.
• ApeFirst may update this policy at any time. The latest version is the one posted on our site.
• Participation does not create an employment or contractor relationship.
• To the maximum extent permitted by law, ApeFirst is not liable for indirect, incidental, or consequential damages related to your participation.

Quick Submission Template

Title:
Severity (your estimate):
Asset/Endpoint:
Impact:
Steps to Reproduce:
PoC:
Logs/Screens/Video:
Suggested Fix:
Your Wallet (USDT ERC-20/TRC-20):
PGP Needed? (Y/N):
Disclosure Preference: (90-day default)

Questions? Reach us at [email protected].