HL GAMING – OFFICIAL BUG BOUNTY PROGRAM POLICY (LATEST VERSION 2026-27)
Applies to: https://www.hlgamingofficial.com and all subdomains, systems, clients, applications, and backend services owned by HL Gaming.
Last Updated: Friday, 14 November 2025 11:16 am (GMT+5)
1. INTRODUCTION AND PROGRAM PURPOSE
The HL Gaming Bug Bounty Program is established to strengthen the security, reliability, and integrity of all HL Gaming digital platforms. The purpose of this policy is to encourage ethical and skilled security researchers to identify vulnerabilities responsibly and contribute to the ongoing improvement of the HL Gaming ecosystem.
This program outlines strict rules of engagement, permitted and prohibited testing areas, required reporting procedures, eligibility restrictions, reward determination guidelines, and legal clauses governing acceptable researcher behavior.
By participating in this program, you acknowledge and accept that:
-
HL Gaming provides no exceptions beyond what is stated in this policy.
-
Any activity not fully aligned with this policy may lead to rejection, removal, or legal action.
-
You must comply with all ethical, legal, privacy, and operational standards outlined below.
Participation implies total acceptance of all terms, obligations, responsibilities, and limitations detailed in this document.
2. IN-SCOPE TARGETS – ALLOWED TESTING AREAS
Only the assets listed below are allowed for testing. Any attempt to interact with systems outside this scope constitutes a violation of program rules.
2.1 Primary Web Properties
All security testing is allowed only on the official HL Gaming website and its controlled subdomains:
-
Main Site: https://www.hlgamingofficial.com
-
All subdomains under: *.hlgamingofficial.com
This includes interfaces that the website directly serves, such as login pages, game pages, dashboards, user portals, and embedded modules within the official domain.
2.2 Desktop and Mobile Applications
In-scope applications:
-
HL Gaming Android APK (stable and beta versions)
-
HL Gaming Windows executable (.exe) official client
-
HL Gaming browser-based desktop clients
These applications must be downloaded only from official HL Gaming sources. Using modified, pirated, or unofficial builds for research automatically invalidates submissions.
2.3 APIs and Backend Services
In-scope:
-
HL Gaming Public REST APIs
-
Exposed internal APIs used by desktop or mobile clients
-
Game servers and services that interact with authenticated users
-
Backend services responsible for authentication, user data, financial transactions, account operations, and gameplay functions
Testing may include examining request/response behavior, parameter handling, and authentication flow, provided you do not exploit or damage real user data.
2.4 SDKs and Embedded Modules
All official HL Gaming SDKs, software modules, and components embedded within applications or game clients are included.
3. OUT-OF-SCOPE TARGETS – PROHIBITED AREAS
The following are strictly not allowed:
-
Any domains, IPs, tools, or services not owned by HL Gaming
-
Internal staging, test, QA, or development environments
-
iOS platform (no app exists; anything found is automatically invalid)
-
Third-party libraries, payment processors, or external integrations
-
Social engineering attempts against employees, partners, or vendors
-
Phishing, spoofing, or impersonation attacks
-
Physical attacks on HL Gaming property, systems, or networks
-
DoS / DDoS / Brute forcing / Credential stuffing
-
Any attack that degrades, disrupts, or interferes with HL Gaming services or users
-
Any testing targeting real user accounts, stored data, or financial information
Any test on an out-of-scope target will be rejected and may result in permanent program removal.
4. RULES OF ENGAGEMENT – ETHICAL AND PROCEDURAL REQUIREMENTS
4.1 Mandatory Ethical Conduct
Researchers must maintain the highest standard of ethical behavior. This includes:
-
Avoiding any harmful action that could affect HL Gaming users or operations.
-
Limiting all actions strictly to verification of the vulnerability’s existence.
-
Immediately stopping testing once a vulnerability is successfully identified.
-
Avoiding any extraction, copying, modification, exposure, or distribution of sensitive information.
4.2 Pre‑Authorization Requirement for Sensitive Services
Certain sensitive services, including but not limited to:
-
Authentication systems
-
Payment systems
-
Account recovery procedures
-
Email systems
-
Login flow
-
Signup flow
-
Token, session, or cookie handling
-
Financial data modules
-
Admin-related endpoints
-
Internal APIs
require explicit written approval before testing.
Before engaging with these high‑risk sections, the researcher must:
-
Send a request to support@hlgamingofficial.com.
-
Provide their full identity and intended testing area.
-
Receive clear written authorization.
Any testing conducted without prior authorization on sensitive systems will result in:
-
Automatic rejection of the report
-
Removal from the bug bounty program
-
Potential legal action if system disruption or data exposure occurred
HL Gaming enforces this requirement strictly.
4.3 Data Privacy and Protection
Any discovered sensitive information such as user data, internal logs, tokens, or credentials must:
-
Not be saved
-
Not be screenshot unless necessary for proof
-
Not be shared outside the official submission
-
Not be used for exploitation or further testing
Any misuse of data leads to immediate program ban and legal consequences.
4.4 System Integrity and Monitoring
HL Gaming monitors:
-
API activity
-
Account behavior
-
Error logs
-
Request patterns
-
Traffic anomalies
-
Reproduction attempts
If suspicious activity is detected, HL Gaming may revoke access, blacklist accounts, or escalate to legal authorities.
5. SAFE HARBOR AND LEGAL BOUNDARIES
HL Gaming provides safe harbor protection only if you follow all the rules.
Researchers are protected if:
-
Testing remains within the defined scope
-
No exploitation occurs beyond minimal confirmation
-
No data is leaked, posted, or sold
-
Reporting is done responsibly through official channels
-
No harmful intent or damage occurs
HL Gaming reserves the right to pursue legal action for:
-
Unauthorized disclosure
-
Attempts to exploit or profit illegally
-
Intentional system damage
-
Data theft or distribution
-
Any malicious or irresponsible activity
Severe violations, particularly those resulting in data leaks, may trigger court filings and cooperation with cybersecurity authorities.
6. REPORT SUBMISSION – COMPLETE PROCESS
All reports must begin with submission through the official Bug Bounty Center:
https://www.hlgamingofficial.com/p/bug-bounty-center.html
Upon submission, you will receive a Bug Bounty Token ID.
6.1 Required Structure
The report must include:
-
Report Title
-
In-scope target affected
-
Full technical description
-
Reproduction steps with clear sequences
-
Behavioural results and expected outcomes
-
Proof-of-Concept evidence (logs, screenshots, videos, cURL requests)
-
Impact analysis describing how HL Gaming operations/users are affected
-
Suggested fix (preferred but optional)
-
Bounty Token ID
-
Researcher Information
6.2 Researcher Information Must Include
-
Full legal name
-
Country
-
HL Gaming account email
-
Email used for sending the report (must match account email)
-
Social profile (LinkedIn, GitHub, website)
-
Summary of your cybersecurity experience (optional but encouraged)
6.3 Email Requirement
After submitting through the website, you must send a complete email report to:
Only reports sent from the same Gmail address used for your HL Gaming account will be processed.
6.4 Submission Rules
Your report will be rejected if:
-
It is a duplicate already reported earlier
-
It is not reproducible
-
It lacks detailed supporting evidence
-
It targets out-of-scope systems
-
You fail to obtain authorization for sensitive system testing
-
You spam support asking for updates
-
You use multiple email identities
-
You attempt to manipulate severity or reward
HL Gaming has full right to accept or reject any submission.
7. SEVERITY CLASSIFICATION AND REWARD STRUCTURE
Rewards are based on severity, originality, and quality of explanation.
| Severity Level | Description | Reward (USD) |
|---|---|---|
| Low | Informational issues, UI bugs, HTTP header leaks | 1–5 |
| Medium | Logic errors, minor misconfigurations | 10–20 |
| High | Unauthorized access, token exposure, sensitive leaks | 25–40 |
| Critical | RCE, full auth bypass, account takeover | Up to 50 |
All final severity decisions are made solely by the HL Gaming Security Team.
Their judgment is final and cannot be disputed or appealed.
8. PAYMENT PROCESS AND CONDITIONS
8.1 Payment Method
-
International participants: Crypto wallets (Binance preferred)
-
Pakistani participants: Choice between
-
HL Coins (HL Gaming platform currency), or
-
Crypto wallet
-
Payments are processed within 14 business days after validation.
8.2 Rejection and Disqualification
HL Gaming reserves the right to reject rewards due to:
-
Duplicate issues
-
Known vulnerabilities
-
Out-of-scope targets
-
Unauthorized testing
-
Missing proof-of-concept
-
Incomplete or unclear explanation
-
Submission spam
-
Malicious behavior
-
Violations of disclosure policy
HL Gaming may reject a report at any time, with or without notice.
9. CONFIDENTIALITY AND DISCLOSURE RESTRICTIONS
All vulnerability information is strictly confidential.
Researchers must not:
-
Publish findings
-
Post on social media
-
Submit CVE IDs
-
Produce articles, videos, or blogs
-
Share the vulnerability with third parties
Violation results in:
-
Permanent ban
-
Bounty removal
-
Legal action
-
Possible civil or criminal prosecution (depending on severity)
HL Gaming alone determines the timeline and method of public disclosure, if any.
10. PROGRAM MODIFICATIONS AND TERMINATION
HL Gaming maintains the right to:
-
Update any rule
-
Change reward structures
-
Suspend or terminate the entire program
-
Modify scope or eligibility
-
Decline participation to any individual
All changes are effective immediately once published on the HL Gaming website.
Continued participation indicates full acceptance of modifications.
11. FINAL LEGAL CLAUSES AND AUTHORITIES
-
HL Gaming’s decisions in all matters are final.
-
Severity and reward judgments cannot be appealed.
-
HL Gaming may deny any submission without explanation.
-
All disputes will be handled exclusively under applicable legal jurisdiction.
-
Participants must retain communication logs and submission evidence.
HL Gaming reserves the right to enforce all terms strictly and take action against any violation, whether intentional or accidental.
12. CONCLUSION, FINAL DECLARATIONS, AND POLICY MAINTENANCE RECORD
This Bug Bounty Program serves as the definitive and authoritative guide governing all vulnerability testing, reporting procedures, researcher responsibilities, reward eligibility, and legal boundaries within the HL Gaming ecosystem. All individuals participating in this program are required to review the policy in its entirety and ensure full compliance with each section, rule, and guideline before initiating any form of security research.
HL Gaming emphasizes that this program is not a guarantee of participation acceptance nor a guarantee of reward. Instead, it is a structured framework that allows qualified researchers to responsibly contribute to the security posture of HL Gaming while adhering to strict ethical, legal, and procedural expectations. All participants must demonstrate professionalism, respect for system integrity, and complete avoidance of any harmful or unauthorized actions.
Researchers are responsible for:
-
Understanding all scope limitations and boundaries.
-
Following mandatory pre-authorization requirements when dealing with sensitive areas such as authentication systems, financial modules, recovery flows, administrative endpoints, or any high-impact security surfaces.
-
Maintaining confidentiality of any discovered information and avoiding any manner of improper disclosure.
-
Submitting clear, evidence-based, reproducible reports following the official procedure and using only approved HL Gaming communication channels.
-
Ensuring that all testing is performed in a manner that does not cause disruption, harm, or risk to users, services, or HL Gaming infrastructure.
HL Gaming reserves full authority to enforce these rules, interpret the policy, determine eligibility for rewards, and take corrective action as needed, including withholding rewards, rejecting submissions, terminating program participation, or pursuing legal measures in cases involving malicious or irresponsible conduct.
This policy is intended to evolve as HL Gaming expands its platform, enhances its security posture, and introduces new applications, features, and systems. Researchers should therefore periodically review the policy to ensure they remain aligned with the most recent version and updated guidelines.
13. POLICY VERSIONING AND UPDATE INFORMATION
This Bug Bounty Policy undergoes periodic review and updates to ensure alignment with current security standards, operational requirements, and platform developments. All updates are formally reviewed and approved by the HL Gaming Security Team.
Last Updated:
Friday, 14 November 2025 11:16 am (GMT+5)
Updated By:
HL Gaming Security Team
-
Haroon Brokha (Founder)
-
+ 2 Additional Senior Security Engineers (Names withheld for internal confidentiality)
All future revisions will include update timestamps and the responsible update personnel. Participants are encouraged to revisit this page regularly to stay informed of new amendments or expanded requirements. Continued participation in the program after an update signifies full agreement to the revised policy.
Welcome to the discussion! We value thoughtful, respectful conversations. Feel free to share your insights or ask questions — your voice matters here.