Kordu

Our Security Commitment

The security and privacy of our players are extremely important to us. This program enables the security research community to help us identify and resolve vulnerabilities responsibly. We appreciate your efforts in keeping our community safe.

Please read this page in its entirety before submitting a report. If you have questions, reach out to security@kordu.gg.

Program Rules

Reports MUST be sent to security@kordu.gg
All reports must include clear reproduction steps
You agree not to publicly disclose vulnerabilities until we have addressed them
Testing must be done through your own accounts only
Do not access or modify other users' accounts or data without explicit consent
Act in good faith - avoid privacy violations, data destruction, or service disruption

Duplicate Reports

We handle duplicate reports as follows:

Only the first valid report of a vulnerability will be actioned
Duplicate reports will be acknowledged
If multiple reports arrive simultaneously, the earliest timestamp takes priority

How to Structure Your Report

To help us triage and respond quickly, please include:

Contact Details - Your name, email, and preferred contact method
Vulnerability Type - Category (e.g., XSS, SQL Injection, RCE, Auth Bypass)
Affected Asset - Which system is affected (see Scope section)
Description - Technical details and root cause analysis
Location - URL/endpoint, file path, API route, or exposed port
Reproduction Steps - Clear, numbered steps to reproduce the issue
Proof of Concept - Screenshots, videos, or code demonstrating the vulnerability
Impact Assessment - What an attacker could achieve by exploiting this
Suggested Remediation (Optional) - Your recommendations for fixing the issue

Important: If you inadvertently encounter player data, do not view, alter, save, store, or transfer it. Immediately purge any local information and notify us in your report.

Scope

The following assets are in scope for this program. Vulnerability severity is determined by impact, not by which asset is affected.

In-Scope Assets

Category	Asset	Description
Web Properties	kordu.gg	Main website and dashboard
	kordu.co.uk / kordu.net / kordu.uk	Domain aliases
	justified.co	Community hub
	darkrp.uk	DarkRP community site
Authentication	OAuth Integrations	Steam, Discord login (KORDU-side only)
Authentication	Session Management	Authentication tokens and cookies
Game Servers	All KORDU Servers	All game servers operated by KORDU LTD
Game Servers	Server APIs	In-game data sync and reporting
Game Exploits	Server Crashes	Exploits that crash or freeze servers
	Duplication Exploits	Item/money duplication bugs
	Economy Exploits	Money exploits, infinite cash, etc.
	Lag/Performance	Exploits causing severe lag for all players

Out of Scope

Third-party payment processors (Tebex, PayPal, Stripe)
Third-party infrastructure (Cloudflare CDN, Cloudflare R2, Cloudflare Turnstile)
Community-hosted game servers (unless the exploit exists in base server code)
User-generated content and addons
Social engineering attacks against staff or players

Exclusions

The following types of reports are out of scope:

Denial of Service (DoS/DDoS) attacks against infrastructure
Brute forcing or credential stuffing
Spam or social engineering attacks
Reports that do not pose any security or gameplay risk
Account or email enumeration
Email SPF, DKIM, and DMARC configuration issues
Self-exploitation (vulnerabilities only exploitable by the victim)
Minor visual glitches or cosmetic bugs
Gameplay balance suggestions (not exploits)
Rate limiting or throttling issues
Missing security headers without demonstrated impact
Clickjacking on pages with no sensitive actions
CSRF on logout or non-state-changing operations
Vulnerabilities requiring physical access to a device

Game exploits ARE in scope: Server crashes, item/money duplication, economy exploits, and severe lag exploits should be reported. We want to know about anything that harms the player experience.

Severity Classification

We use CVSS 3.1 (Common Vulnerability Scoring System) to assess severity. Final ratings consider both technical impact and business context.

Severity	CVSS Score	Example
critical	9.0 - 10.0	Unauthenticated RCE, mass data breach, full account takeover
high	7.0 - 8.9	Authenticated RCE, stored XSS on auth pages, SSRF with internal access
medium	4.0 - 6.9	Reflected XSS, limited IDOR, CSRF on non-critical actions
low	0.1 - 3.9	Verbose errors, minor info disclosure, theoretical issues

Note: Final severity may be adjusted based on specific context, affected asset, and potential business impact. We reserve the right to make final determinations on severity classification.

Technical Security Measures

We implement industry-standard practices to protect your data:

Encryption

All data in transit encrypted with TLS 1.3
Sensitive data at rest encrypted with AES-256
Passwords hashed using Argon2id
API keys and secrets stored in secure vaults

Infrastructure

DDoS protection via Cloudflare
Web Application Firewall (WAF) for attack prevention
Regular security patches and updates
Isolated network environments
Automated encrypted backup systems

Access Control

Role-based access control (RBAC)
Multi-factor authentication for staff
Principle of least privilege
Regular access audits and reviews

Safe Harbor

When conducting security research in accordance with this policy, we consider your research to be:

Authorized concerning applicable anti-hacking laws - we will not initiate legal action for good faith violations
Authorized concerning anti-circumvention laws - we will not bring claims for circumventing technology controls
Exempt from restrictions in our Terms of Service that would interfere with security research
Lawful, helpful to overall security, and conducted in good faith

If at any time you're uncertain whether your research is consistent with this policy, contact security@kordu.gg before proceeding.

Legal Protections

We will not pursue civil action or initiate complaints to law enforcement for security research that represents a good faith effort to comply with this policy. We consider compliant activities to be “authorized” under the Computer Misuse Act 1990 (UK) and equivalent international laws.

If legal action is initiated by a third party against you for compliant activities, KORDU LTD will take steps to make known that your actions were conducted in accordance with this policy.

KORDU LTD reserves the right to make final determinations on whether submissions qualify under this policy.

Account Security Features

We provide tools to help you secure your account:

Two-factor authentication (2FA) via authenticator apps
Login notifications for new devices
Session management - view and revoke active sessions
Secure password requirements
Account recovery with identity verification

Enable 2FA! Two-factor authentication significantly reduces the risk of unauthorized access. Enable it in your account settings.

Incident Response

In the event of a security incident affecting user data:

Contain and assess the incident immediately
Notify affected users within 72 hours
Report to relevant authorities as required by GDPR
Conduct thorough investigation
Implement measures to prevent recurrence
Publish post-incident report when appropriate

Acknowledgement

We appreciate the security research community's efforts in helping us keep our platform safe. While we do not offer monetary rewards, valid vulnerability reports may receive:

Public acknowledgement on our security page (with your permission)
A thank-you message from the KORDU team
Priority consideration for future community roles

We may modify or terminate this program at any time. KORDU LTD staff and family members are not eligible for acknowledgement.

Contact

For security inquiries or to submit a vulnerability report:

KORDU LTD - Security Team

First Floor Office, 3 Hornton Place

London, W8 4LZ

United Kingdom

security@kordu.gg

Company Registration: 16836154