Security

Security Policy

We take security seriously. If you find a vulnerability, please tell us responsibly.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to us by email. Do not disclose it publicly until we have had a chance to investigate and issue a fix.

Security Emailsecurity@esport.is

Please include a clear description, steps to reproduce, and any relevant screenshots or proof-of-concept code. Encrypt sensitive reports with PGP if available.

Response Timeline

48 hoursAcknowledgment of your report

7 daysInitial severity assessment and response

30 daysTarget timeline for fix deployment (critical issues sooner)

Post-fixPublic disclosure coordinated with reporter

In Scope

esport.is main website and subdomains
API endpoints (/api/*)
Authentication and session handling
Data exposure or leakage
Cross-site scripting (XSS)
SQL/NoSQL injection
CSRF vulnerabilities
Server-side request forgery (SSRF)
Insecure direct object references

Out of Scope

Denial of service (DoS/DDoS) attacks
Social engineering attacks against staff
Physical security issues
Issues in third-party services we rely on (report to them directly)
Rate limiting / brute force on non-sensitive endpoints
Missing security headers with no demonstrable impact
Self-XSS that requires user to exploit themselves

Bug Bounty

We don't currently offer cash rewards, but we provide public recognition and a special badge for valid security reports that lead to a fix.

🔒 Security Researcher BadgeFor valid reports leading to a patch

Reporters who follow responsible disclosure will never face legal action for good-faith research.

Responsible Disclosure Policy

We follow a coordinated disclosure model. After reporting a vulnerability to us, please allow us our response timeline to investigate and deploy a fix before making any public disclosure.

We commit to: acknowledging your report promptly, keeping you informed of our progress, crediting you publicly (if you wish) once the issue is resolved, and never pursuing legal action against researchers acting in good faith.

We ask that you: act in good faith, avoid accessing user data beyond what is needed to demonstrate the issue, avoid disrupting services, and give us time to fix the issue before going public.

Report a Vulnerability Privacy Policy