The security of our players and services is a top priority at GhostJam Games. If you’ve discovered a security vulnerability in any of our games, websites, or services, we appreciate your help in disclosing it responsibly.

Reporting a Vulnerability

Please report security vulnerabilities by emailing us at:

Include as much detail as possible:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • The affected service, game, or URL
  • Any potential impact you’ve identified
  • Your contact information for follow-up

What to Expect

  • We will acknowledge receipt of your report within 72 hours
  • We will investigate and work to resolve confirmed vulnerabilities as quickly as possible
  • We will keep you informed of our progress where appropriate
  • We will credit you for the discovery if you’d like (let us know your preference)

Guidelines

We ask that you:

  • Do not access, modify, or delete other users’ data
  • Do not publicly disclose the vulnerability before we’ve had a reasonable opportunity to address it
  • Do not use the vulnerability to disrupt our services or degrade the experience for other players
  • Act in good faith and within the scope of this policy

Safe Harbor

We will not pursue legal action against individuals who report vulnerabilities in accordance with this policy. We consider good-faith security research conducted under this policy to be authorized.

Scope

This policy covers:

  • Our games (all platforms)
  • ghostjam.com and associated subdomains
  • Our backend services and APIs
  • Our CDN and infrastructure

This policy does not cover third-party services we use (Discord, Steam, etc.). Please report issues with those services directly to their respective security teams.

Out of Scope

The following are generally not considered security vulnerabilities:

  • Social engineering attacks against our staff or community
  • Denial of service (DoS/DDoS) attacks
  • Spam or phishing not originating from our infrastructure
  • Issues in third-party software or services we don’t control
  • Missing security headers that don’t lead to a demonstrable exploit