mpl-logo
Rummy Bo Games

Rummy Bo – Vulnerability Disclosure Program

We, at Mobile Premier League (Rummy Bo), are always committed to our user’s safe and secure playing experience. Our app goes through multiple levels of security checks internally before it is launched for the user.

We, at Rummy Bo, believe user’s security is the most important piece which we don’t compromise in any way or the other. We take the security of our users very seriously and strive to investigate and resolve all reported vulnerabilities and exploits. If you believe you have discovered a potential security vulnerability with the Rummy Bo Gaming Platform, we appreciate your help in disclosing the issue to us responsibly. We try to be as transparent as possible when it comes to our security efforts so you can stay informed and take action when needed.

Rummy Bo has always been a Security First Organisation. To ensure maximum security, we have the following security guidelines to safeguard our users:

  1. Do not share OTP with anyone. Rummy Bo does not in any way ask user’s for the OTP.
  2. Rummy Bo fairplay helps our user to play the game in a very organic fashion making sure no fraud is happening with them.
  3. If ever we find a user has been compromised in any way or the other, Rummy Bo will investigate the case thoroughly.
  4. As per Rummy Bo Fairplay policy, we tend to block fraudsters every time we see something fishy is happening.
  5. Never respond to any emails/calls claiming to provide Cash/Hacks. Rummy Bo takes no responsibility for the unforeseen consequences happening due to that.
  6. Rummy Bo will never ask for Sensitive information(like Credit Card Numbers, OTP, Bank Account details or any Personal Identifiable Information) via call/emails.
  7. Our customer support can only be reached via the app. Please do not engage with phone numbers that claim to be of our support team.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

Eligibility:

  • Must be at least 18 years of age.
  • Should not have any blackhat background or criminal cases linked to him.
  • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to your participation in the Program
  • Must be the first person to report.
  • Detailed Proof of Concept is required in order to be eligible for a reward.

General Rules – Do/Don’ts

  • Vulnerability found should be in the scope of this policy.
  • Any POC submitted should have a proper step-by-step guide to reproduce the issue. Abuse of any
  • vulnerability found shall be liable for legal penalties.
  • Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
  • Automated tools/Scripts which produce heavy traffic are prohibited.
  • Do not attempt to gain access to any other person’s account, data or personal information.
  • Do use their real email address to report any vulnerability information to us.
  • Keep information about any vulnerabilities you have discovered confidential between yourself and Rummy Bo.The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose obtained from Rummy Bo.
  • Do not use scanners or automated tools to find vulnerabilities.
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Zero-day vulnerabilities or recently disclosed CVE will not be considered eligible until more than 90 days have passed since patch availability.

Scope:

  1. Rummy Bo Pro Application – Android & iOS
  2. Rummy Bo: Fantasy Cricket & Rummy (PlayStore)
  3. Rummy Bo Originals – Carrom Champs & Pool Champs.
  4. Poker Web – poker.mpl.live

Note: Please download Rummy Bo Pro Android App from our official website, Rummy Bo Fantasy Cricket & Rummy from the Android playstore and iOS App on Apple Store.

Rewards:

As a token of our gratitude for your assistance, we offer a reward for every report of an important security problem that was not yet known to us. The amount of the reward will be determined by us, based on the severity of the vulnerability and the quality of the report. Any rewards will be conditional on accepting our Responsible Disclosure Terms.

Out of Scope/Known Issues:

  1. HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  2. Fingerprinting / banner disclosure on common/public services.
  3. Disclosure of known public files or directories, (e.g. robots.txt).
  4. TapJacking/Clickjacking and issues only exploitable through TapJacking/Clickjacking.
  5. Social engineering of our service desk, employees or contractors
  6. Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    1. Strict-Transport-Security
    2. X-Frame-Options
    3. X-XSS-Protection
    4. X-Content-Type-Options
    5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    6. Content-Security-Policy-Report-Only
  7. SPF / DMARC / DKIM Mail and Domain findings.
  8. Email Rate Limiting or Spamming
  9. SSL Issues, e.g.
    1. SSL Attacks such as BEAST, BREACH, Renegotiation attack
    2. SSL Forward secrecy not enabled
    3. SSL weak/insecure cipher suites
  10. Non-application layer Denial of Service or DDoS
  11. Cookie Issues
    1. HTTPONLY
    2. SECURE
    3. multiple cookie setting
    4. Anything to do with JSESSIONID
  12. CSRF on forms that are available to anonymous users (e.g. login or contact form).
  13. Logout / Login Cross-Site Request Forgery (logout CSRF).
  14. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  15. Error messages with non-sensitive data.

Focus Area:
1. Steal, Cheat & Lie! Can you get cash without playing the games? Can you alter the game state to win? Can you post outrageous scores? Even something that just gives you an unfair advantage would be good to find.

2. Target other players on the platform. Personal Identifiable Information of other players could be a P2 or even P1 if there is enough of it. Can you take over accounts? Can you dump user data?

Hall of Fame
Our Hall of Fame page recognizes the contributions of reporters who have demonstrated a high level of dedication to our program.
Acceptance requires multiple valid reports and remains at the discretion of our team.

How will we respond?

If you report a security vulnerability relating to any of our scope specified above, we will treat your inquiry as follows.

  • We will confirm receipt of your report within two business days.
  • We will send you our response within five business days from the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. In some special circumstances, we reserve the right to extend this period by giving appropriate notice.
  • We will treat your privacy and keep your identity confidential unless you allow it and expect you to do the same.

How to Report

Submission Form

Terms & Conditions

Contact Us:

Feel free to write to us if you have any suggestions/queries.
Email : [email protected]


 

Disclaimer

This game may be habit-forming or financially risky. Play Responsibly.

Galactus Funware is the owner of, and reserves all rights to the assets, content, services, information, and products and graphics in the website except any third party content.

Galactus Funware refuses to acknowledge or represent about the accuracy or completeness or reliability or adequacy of the website's third party content. These content, materials, information, services, and products in this website, including text, graphics, and links, are provided "AS IS" and without warranties of any kind, whether expressed or implied.

*Rummy Bo is the biggest gaming app in India based on the number of unity games, special tournaments and formats. Rummy Bo is available only to people above 18 years of age. Rummy Bo is available in all states where permissible by extant law. Consequently, users located in some states may not be able to access our App or its contests. For an updated list of such states, please download the App