Security & Vulnerability Disclosure

Last updated: May 3, 2026 · Machine-readable: /.well-known/security.txt

We appreciate coordinated disclosure of legitimate security issues affecting ImpactGuard infrastructure, the panel, APIs, or distributed plugin components.

How to Report

Email [email protected] with subject line beginning [SECURITY]. Include:

Description of the issue and affected component
Steps to reproduce (proof-of-concept where safe)
Potential impact assessment
Whether you believe the issue is publicly exploitable

Scope

In scope: vulnerabilities in our hosted services and officially distributed artifacts that meaningfully impact confidentiality, integrity, availability, or tenant isolation. Out of scope: generic CS2 game exploits without a clear ImpactGuard component, social engineering of end users, denial-of-service via volumetric traffic, or issues requiring physical access.

Rules of Engagement

Do not access, modify, or delete data belonging to others.
Do not disrupt production systems beyond what is necessary to demonstrate impact.
Allow us reasonable time to remediate before public discussion.

What to Expect

We aim to acknowledge reports within a few business days. Fix timelines depend on severity and complexity. We may coordinate public credit if you request it and the report is valid.

We do not operate a public bug bounty program with guaranteed payouts. This page describes process, not a contractual offer.

Status & Incidents

Operational status: status.impactguard.xyz

Governing Law

This disclosure page is informational. It does not create contractual remedies beyond what is stated in our Terms of Service (governing law: Republic of Bulgaria).