Skip to content

Security: CorporateClash/public

Security

security.md

Security policy

Activites conducted in a manner consistent with this policy will be considered as "authorized access" under USC § 1030 to test our servers for security issues and vulnerabilities.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If you do come into contact with other users' data, you must make a good faith effort to (A) not disclose this information to anyone else, and (B) delete it from any caches, history files, or temporary files that might contain the user data.

Exclusions

While researching, refrain from:

  • Requests flooding (including denial-of-service/distributed denial-of-service)
  • Spamming
  • Social engineering (including phishing) of Corporate Clash staff or volunteers
  • Any physical attempts against Corporate Clash property or data centers
  • Using automated tools or scanners

Scope

  • The domain corporateclash.net and any subdomains
  • Cloudflare configuration/firewall bypasses (except exposed Origin IP)
  • In-game hacks that directly deal with netcode, astron, or injectors (no gameplay exploits)

Reward

Valid security reports help ensure Toontown: Corporate Clash remains a safe environment for everyone. For security reports of particular importance, you might be gifted in-game items, currency, or similar. This reward is NOT guaranteed; it will be issued at the sole discretion of Corporate Clash Leadership, and will be non-transferrable (we may remove the item(s) if we have discovered a breach of our TOS, eg. account-selling or selling the item code itself).

Weakness

If possible, it is recommended to provide a CWE and/or CVSS v3 score.

Disclosure procedure

If possible, compose your findings in PDF, Google Docs, or Google Slides format and send via email to [email protected].

There aren’t any published security advisories