Security Disclosure Policy

SecDim will not pursue legal action against researchers who discover and report security vulnerabilities in accordance with this policy. We consider security research conducted under this policy to be authorised and undertaken in good faith. We will not initiate or recommend legal action related to such research, and if a third party initiates legal action against a researcher who has complied with this policy, we will make clear that the research was conducted with our authorisation.

This safe harbor applies provided the researcher does not violate the prohibited actions listed in this policy and does not exploit the vulnerability beyond what is necessary to demonstrate the issue.

If you have found a security vulnerability in SecDim, please disclose it responsibly by emailing security@secdim.com. Optionally, if you want to encrypt your email, you can use our PGP key. Please do not discuss potential vulnerabilities in public without validating with us first.

Your email subject line must use the following format exactly:

[SECDIM-VDP] <brief description>

For example: [SECDIM-VDP] Stored XSS on learn.secdim.com profile page

To help us triage and fix the issue quickly, please also include the following in your report:

• Description: A clear description of the vulnerability and its potential impact.

• Steps to reproduce: A detailed, step-by-step walkthrough so we can reliably reproduce the issue.

• Proof of concept: Screenshots, a video recording, or a working PoC demonstrating the vulnerability.

• Affected asset : The URL, endpoint, or component where the vulnerability exists.

• Estimated severity: Your assessment of the impact (Critical / High / Medium / Low).

• Your name or handle: For Hall of Fame credit, if you wish to be recognised.

On receipt of your report, the security team will:

• Acknowledge your report within 24-48 hours. Emails that do not follow the formatting specified above will not receive a reply.

• Confirm or request clarification on the vulnerability within 5 business days.

• Target remediation within 90 days for critical issues and 120 days for complex issues. We will communicate any delays in advance.

• Notify you once the issue has been resolved, at which point you are welcome to disclose publicly.

If we cannot resolve a reported vulnerability within the agreed timeline, we will negotiate a disclosure date with you in good faith. We will not ask you to indefinitely withhold disclosure.

SecDim does not ordinarily provide bug bounties, however we maintain a Hall of Fame to recognise those who have responsibly disclosed security issues to us.

In-scope domains:

• id.secdim.com — Identity and authentication

• game.secdim.com — Play environment

• play.secdim.com — Play platform

• learn.secdim.com — Learning platform

• discuss.secdim.com — Community discussion

All other SecDim-owned or operated domains and services are out of scope unless explicitly agreed in writing.

Out-of-scope vulnerability types:

The following will generally not be accepted as valid reports:

• Self-XSS that requires the victim to execute code themselves.

• Clickjacking on pages without sensitive actions.

• Missing security headers (e.g. HSTS, CSP) without a demonstrated exploitable impact.

• Rate limiting on non-security-critical endpoints.

• Theoretical vulnerabilities without a working proof of concept.

• Vulnerabilities in third-party services or libraries that are not within SecDim’s control.

• Social engineering or phishing of SecDim staff or users.

• Physical security attacks.

• Reports from automated scanners submitted without manual validation.

In performing your security research you must follow these guidelines:

• Only test against accounts and data that you own. If you are attempting to find an authorisation bypass, you must use two accounts that you control.

• We recommend creating a dedicated test account by adding .hacker to your email address (e.g. you.hacker@example.com) for any account used for security research.

• Do not access, modify, exfiltrate, or retain data belonging to other users. Only interact with data to the minimum extent necessary to demonstrate the vulnerability.

• Do not perform or attempt distributed denial-of-service (DDoS) attacks or any automated scanning that generates excessive traffic (e.g. thousands of requests per minute). Violations may result in your account being suspended and your IP address being banned.

• If you believe you have inadvertently affected the availability or integrity of our services, stop immediately and notify us at security@secdim.com.

• Do not destroy, corrupt, or alter any data or system configurations that are not your own.

• Do not attempt to social engineer, phish, or otherwise manipulate SecDim staff, contractors, or other users.

• Do not demand payment or make threats as a condition of reporting or withholding a vulnerability. Extortion will result in immediate referral to law enforcement.

We are grateful to the security researchers who have responsibly disclosed vulnerabilities to us. Be the first to appear here by submitting a valid report to security@secdim.com.