Contact: https://bsky.app/profile/pokepc.net Canonical: https://pokepc.net/.well-known/security.txt Expires: 2027-05-19T00:00:00Z Preferred-Languages: en # PokéPC takes account security and trainer privacy seriously. If you find a vulnerability in the # public PokéPC web app, please report it responsibly so we can investigate and fix it. # # PokéPC is a fan project for tracking Pokémon game-save progress, Pokédex and Livingdex collection # state, trainer profiles, feedback, and related account settings. This policy is only for the # public PokéPC web app and data that PokéPC controls. Do not test third-party services, official # Pokémon services, payment or membership providers, email providers, social networks, or # infrastructure that does not belong to PokéPC. # # High-impact reports we are interested in include: # - Account takeover, authentication bypass, or session compromise # - Authorization flaws that expose or modify another user's private trainer data # - Privilege escalation into restricted operator-only functionality # - Injection or server-side request issues with clear, demonstrated security impact # - Exposure of secrets, credentials, or private user data through public web surfaces # - Cross-site scripting that can affect another user without social engineering # # Out-of-scope reports include: # - Denial-of-service testing, load testing, or any activity that degrades availability # - Automated scanner output without a verified, exploitable impact # - Social engineering, phishing, spam, or attacks requiring physical access # - Issues that only affect your own account or require self-exploitation # - Public information, broken links, typo-only content issues, or cosmetic UI problems # - Missing or recommended-only security headers without demonstrated impact # - Cookie, CORS, TLS, DNS, email, or browser best-practice findings without an exploit path # - User enumeration, version disclosure, descriptive errors, open redirects, tabnabbing, or # clickjacking on pages with no sensitive action # - Reports about unofficial Pokémon data accuracy, gameplay rules, or product suggestions # # Testing guidelines: # - Use only accounts and data you own or have explicit permission to test # - Do not access, modify, delete, retain, or share another user's data # - Do not attempt to access restricted operator tools; if you believe access is possible, stop at # the first non-destructive proof and report it # - Do not run automated scanners or high-volume tests # - Keep manual testing below 10 requests per minute # - Do not attempt persistence, lateral movement, credential harvesting, malware, or data # exfiltration # - Stop testing and report immediately if you encounter private data, credentials, or a material # service risk # # Reporting guidelines: # - Contact PokéPC through the official Bluesky profile at https://bsky.app/profile/pokepc.net # - Write reports in English # - Include the affected URL or feature, clear reproduction steps, screenshots or screen recordings # when useful, and a concise impact assessment # - Keep proof of concept details minimal and non-destructive; do not include payloads or # instructions that would enable broad abuse # - Do not post vulnerability details publicly; use a private channel where available or request a # secure follow-up channel through the official Bluesky profile # - Do not publicly disclose the issue or share it with third parties until PokéPC has investigated # and addressed it # # Rewards: # - PokéPC does not run a public bug bounty program # - Rewards, acknowledgments, and public credit are discretionary # - Low-impact, duplicate, automated, or out-of-scope reports are not eligible for rewards # # What we promise: # - We will review security reports sent through this channel # - We aim to respond within 10 business days # - We will not pursue legal action against researchers who follow this policy, avoid privacy harm, # avoid service disruption, and report findings in good faith # - We may close reports that are out of scope, abusive, unsafe to reproduce, or not actionable