Security Policy

We take the security of SolGun seriously and welcome reports from independent researchers.

If you have discovered a vulnerability that affects SolGun — the website, the matchmaking server, or the on-chain escrow program — please report it through one of the channels below. We commit to acknowledging your report within 72 hours and to working with you in good faith toward a coordinated fix.

How to Report

Please send your report via any of the following channels. Email is preferred for technical detail; encrypted communication can be arranged on request.

A copy of the machine-readable contact metadata is published at /.well-known/security.txt in conformance with RFC 9116.

What to Include

A high-quality report helps us validate and remediate quickly. Where possible, please include:

• A clear description of the vulnerability and its impact.
• Step-by-step instructions or a proof-of-concept that reproduces the issue.
• The exact URL, transaction signature, program ID, or endpoint affected.
• Any logs, screenshots, or transaction inspections relevant to the finding.
• Your preferred name or handle for credit (optional — anonymous reports are accepted).

Scope

The following surfaces are explicitly in scope for security reports:

• https://solgun.gg and all subdomains.
• The SolGun matchmaking WebSocket server and its public REST endpoints.
• The on-chain escrow program on Solana mainnet-beta (Program ID: 6ikt9m5HucYgej3yGDrzti5zjJnRr5k91VqGkjYQqtRF).

Out of Scope

The following are not within our control or are excluded from the program:

• Third-party wallets (Phantom, Solflare, Backpack, etc.).
• Solana RPC providers and the underlying blockchain infrastructure.
• Volumetric denial-of-service attacks and rate-limit bypasses without security impact.
• Findings produced solely by automated scanners with no demonstrated exploit path.
• Self-XSS, social engineering of SolGun staff or players, and physical attacks.
• Reports about software, libraries, or dependencies maintained by third parties — please report those upstream.

Coordinated Disclosure

We ask that you give us a reasonable window to investigate and remediate before publicly disclosing the issue. Our default disclosure window is 90 days from the date of your initial report; we may request an extension for findings that require coordinated upgrades on third-party infrastructure (for example, on-chain program redeployment).

During the disclosure window we will:

• Acknowledge your report within 72 hours.
• Provide a triage assessment within 7 days.
• Keep you informed of our progress at reasonable intervals.
• Credit you in our release notes if you wish, after the fix is deployed.

Please do not disclose the vulnerability publicly, share it with third parties, or exploit it beyond what is necessary to demonstrate the issue.

Safe Harbor

Security research conducted in good faith and consistent with this policy is authorized. We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, service disruption, and destruction or alteration of data.
• Use only their own accounts or wallets for testing, never the data or funds of other players.
• Stop testing as soon as a vulnerability is confirmed and report it promptly.
• Do not publicly disclose the issue before the agreed-upon disclosure window.
• Comply with all applicable laws.

If a third party initiates legal action against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were authorized.

Rewards

SolGun does not currently operate a formal paid bug bounty program. We may, at our discretion, offer rewards in SOL or other recognition for high-impact findings. Eligibility, severity, and amount are decided case-by-case based on the nature of the issue and the quality of the report.

Final Note

Independent security research makes SolGun safer for every player. Thank you for taking the time to report responsibly.