Security

Welcome to Hypixel Studios Bug Bounty program! The security and privacy of our users are extremely important to us, separate to our own internal teams working on keeping you and your data safe this program enables players and the security research community to help us quickly repair security problems by reporting vulnerabilities.

Please read this page in its entirety before submitting a report! If you have any questions or need further clarification you can reach out to our team at [email protected].

If we can validate that the reported issue qualifies for a bounty, we’ll triage it and keep you up to date about the progress towards resolution.

Program Rules

• Reports MUST be sent to [email protected]
• All reports must be submitted with clear reproduction steps
• You agree to disclose this report only to Hypixel Studios Canada Inc. and not publicly disclose the vulnerability until we have had reasonable time to address it
• Testing must be done through your own accounts
• Other accounts should not be accessed or used without the owner's explicit consent
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
• Only persons 18+ may collect bounties on bugs/vulnerabilities

Duplicate Reports

We handle duplicate reports as follows:

• Only the first valid report of a vulnerability is eligible for a bounty
• Duplicate reports will be acknowledged but will not receive a reward
• If multiple reports are received simultaneously, the earliest timestamp determines priority
• Reports that provide additional context or impact for a known issue may receive partial credit at our discretion
• We will notify you if your report is a duplicate of a previously submitted issue

How to structure your report

Please include the following information in your report to help us triage and respond quickly:

• Contact Details - Your name, email address, and preferred contact method
• Vulnerability Type - Category of the vulnerability (e.g., XSS, SQL Injection, RCE, Authentication Bypass, etc.)
• Affected Asset - Which system or tier is affected (see Scope section)
• Description - Technical details of the vulnerability and its root cause. The intended audience is technical, so please be thorough.
• Location - Where is the vulnerability located? Include relevant details such as: URL/endpoint, file path, line of code, exposed port, or API route.
• Reproduction Steps - Clear, numbered steps to reproduce the issue. These are critical for validation and fixing.
• Proof of Concept - Screenshots, videos, or code demonstrating the vulnerability. Do not perform destructive actions or access data beyond what is necessary to prove the issue.
• Impact Assessment - Describe what an attacker could achieve by exploiting this vulnerability.
• Suggested Remediation (Optional) - If you have recommendations for fixing the issue, we welcome them.

Important: If you inadvertently encounter player data, do not view, alter, save, store, transfer, or otherwise access the data. Immediately purge any local information and notify us in your report.

Exclusions

The following are explicitly out of scope and will not qualify for a bounty:

• Denial of Service (DoS/DDoS) attacks
• Brute forcing or credential stuffing
• Spam or social engineering attacks
• Reports that do not pose any security risk
• Account or email enumeration
• Email SPF, DKIM, and DMARC configuration issues
• Self-exploitation (vulnerabilities only exploitable by the victim)
• Game exploits or cheats that do not affect server security
• Gameplay balance issues
• Bugs in user-generated content or mods
• Rate limiting or throttling issues
• Missing security headers without demonstrated security impact
• Clickjacking on pages with no sensitive actions
• CSRF on logout or non-state-changing operations
• Vulnerabilities requiring physical access to a device
• Tebex payment platform issues (report directly to Tebex)
• Vulnerabilities in third-party dependencies without a working proof of concept

Scope

The following assets are in scope for this bug bounty program. Vulnerability severity is determined by the impact of the issue (see Severity Classification below), not by which asset is affected.

If you believe you have found a vulnerability in a Hytale or Hypixel Studios asset not listed here, please contact us at [email protected] before testing to confirm whether it is in scope.

In-Scope Assets

Out of Scope Assets

• Tebex payment processing infrastructure
• Third-party services like Cloudflare and Google Cloud (report directly to the vendor)
• Community-hosted game servers (Unless the exploit lives within the base Hytale server)
• User-generated content and mods

Severity Classification

We use CVSS 3.1 (Common Vulnerability Scoring System) to assess vulnerability severity. The final severity rating considers both the technical impact and the context of the affected asset.

Note: Final severity may be adjusted based on the specific context, affected asset, and potential business impact. We reserve the right to make the final determination on severity classification.

Safe Harbor

When conducting security research in accordance with this policy, we consider your research to be:

• Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms of Service and Acceptable Use Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through [email protected] before going any further.

Legal Protections

We will not pursue civil action or initiate a complaint to law enforcement for security research activities that we determine, in our sole discretion, represent a good faith effort to comply with this policy. We consider activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), and equivalent international laws.

If legal action is initiated by a third party against you for activities that were conducted in compliance with this policy, Hypixel Studios Canada Inc. will take steps to make it known that your actions were conducted in accordance with this policy, which may include providing a statement to the court or relevant authorities.

Hypixel Studios Canada Inc. reserves the right to make the final determination on whether a submission qualifies under this policy and the validity of any reported vulnerability.

Rewards & Payout

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won't apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Hypixel Studios Canada Inc. staff and their family members are not eligible for bounties.