Leagues.Fun Bug Bounty Program

Operated by Takario Labs Inc ("Takario Labs", "we", "our", "us").

Purpose

Encourage responsible disclosure of security vulnerabilities that could affect the confidentiality, integrity, or availability of Leagues.Fun services and user data.

Who’s Eligible

To be eligible for recognition or a reward:

• You must be the first to report the specific vulnerability.
• The issue must be previously unknown and not already public.
• You must follow the responsible disclosure process (below).
• You must not exploit the issue beyond what’s necessary to demonstrate it.

Reward Framework

Rewards are offered at the discretion of Takario Labs and are commensurate with the severity and impact of the validated vulnerability. Severity tiers we assess include:

• Critical - Vulnerabilities allowing full system compromise, large-scale data exposure, or other catastrophic impact.
• High - Issues enabling significant account compromise, major data access, or serious integrity issues.
• Medium - Vulnerabilities with notable impact but limited scope or easier to mitigate.
• Low - Minor issues or findings with small impact or straightforward remediation.

Takario Labs determines reward levels based on impact, exploitability, affected user scope, and effort required to remediate. Rewards may be provided in fiat, cryptocurrency, or other forms, as determined by Takario Labs. Rewards are subject to validation, legal checks, and applicable compliance requirements.

Bonus: If the researcher agrees to delay public disclosure for a minimum period (e.g., 90 days) or until the issue is remediated, a discretionary bonus (expressed as a percentage) may be applied to the reward.

Responsible Disclosure Process

1. Report the vulnerability to security@leagues.fun.
2. We will acknowledge receipt within 72 hours.
3. Leagues.Fun and the researcher will collaborate to validate the issue.
4. Once validated, Leagues.Fun will remediate the issue; the researcher may be credited publicly with consent.
5. Reward distribution (if applicable) will occur after validation and any required compliance checks (e.g., identity verification). Timing is subject to validation and compliance completion.

Please include the following in your report where possible: clear summary, steps to reproduce, impact assessment, test account details (if required), and PoC or exploit code limited to demonstrating the issue.

Out-of-Scope (no reward)

The following classes of activity are excluded from rewards or recognition:

• Social engineering (phishing employees or customers).
• DDoS or volumetric attacks that may degrade or disrupt service.
• Physical attacks or attempts against Takario Labs facilities or hardware (unless explicitly authorized).
• Vulnerabilities in third-party services or components not under our control (we may coordinate with vendors but will not reward these findings).
• Attacks that require physical access to a device unless the device is explicitly in-scope and authorized.
• Issues that require disabling standard protections (e.g., turning off MITM protection) to reproduce.
• Problems limited to obsolete or unsupported browsers/OS versions, unless they present a material impact.
• Missing best-practice configs (e.g., minor TLS/HTTP header flags, SPF/DKIM/DMARC, Content Security Policy) unless the issue demonstrates a significant real-world impact.
• Clickjacking/CSRF on unauthenticated pages with no sensitive actions, open redirects, content spoofing, self-XSS, CSV/text-injection, and software version disclosures - unless a concrete, significant impact can be demonstrated.
• Reports without reproducable evidence or actual exploitable impact (perceived weaknesses without PoC).
• Any activity that intentionally breaks or degrades our service in production as part of testing.

Note: Any activity that could cause service disruption, data deletion, or unlawful access is strictly prohibited. If your testing might cause harm, please check with us first.

Legal Safe Harbor

Takario Labs will not initiate legal action against researchers who:

• Act in good faith and follow this policy;
• Avoid privacy violations, data destruction, or service disruption; and
• Do not profit from or publicly disclose exploit details before remediation without our consent.

Safe harbor is conditional and limited to activities explicitly conducted under and in compliance with this policy. Takario Labs reserves the right to investigate and take action for activity that falls outside the scope or that violates laws or third-party rights.

Responsible Testing Guidelines

• Test only systems and assets you are explicitly authorized to test.
• Do not access, copy, or alter user data beyond what’s required to demonstrate the issue.
• Use test accounts where possible; avoid impacting real users.
• Preserve evidence and logs for coordination with our security team.
• Follow applicable laws and privacy best practices in your jurisdiction.

Contact

Report issues to: security@leagues.fun
Please include a reasonable PoC and impact description.

Disclaimer

• Takario Labs reserves the right to determine eligibility, reward amounts, and whether to publicly credit researchers.
• By submitting a report, you agree to these terms and confirm that you are not acting on behalf of a sanctioned or restricted party.
• Residents in jurisdictions restricted from participating in our platform may not be eligible for rewards; reward eligibility is subject to applicable laws and compliance checks.