🇬🇧 Join our AI wargame at Black Hat Europe 2024

Hero Section Top Decoration
Hero Section Bottom Decoration

Security Disclosure Policy

SecDim greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect SecDim’s user-base from the impact of security issues. On our side, this means:

  • We will respond to security incidents as a priority.

  • We will fix the issue as soon as is practical, keeping in mind that not all risks are created equal.

  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability in SecDim, we ask that you disclose it responsibly by emailing [email protected]. Optionally, if you want to encrypt your email, you can use our PGP key. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt the security team will:

  • Review the report, verify the vulnerability and respond with confirmation and/or further information requests; we typically reply within 24 hours.

  • Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

SecDim does not ordinarily provide bug bounties, however we maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us in the past.

Performing your research

In performing your security research you must follow the following guidelines:

  • In scope domains are: id.secdim.com, game.secdim.com play.secdim.com, learn.secdim.com, discuss.secdim.com. Other SecDim-owned domains are not allowed.

  • Do not affect other users with your testing. If you are attempting to find an authorisation bypass, you must use accounts that you own.

  • We recommend adding +hacker to your email address to any account that you use to perform security research and testing.

  • It is never allowed to perform distributed denial of service (DDoS), large scale vulnerability scanning, automated tool which produces excessive amount of traffic (e.g. sending 6k request in a minutes using Burp Suite). We may suspend your account and ban your IP address.

  • Researching denial-of-service attacks is allowed only if you stop immediately if you believe you have affected the availability of our services. Don't worry we will determine the impact.

Hall of Fame