Skip to content

Security: SMOService/donyshke

SECURITY.md

Security policy

Reporting a vulnerability

If you discover a security issue in any of our services — the bot (@DianaShuryginaBot), the Mini App, the landing at shurygina.com, or the $SHURYGINA token deployment — please do not open a public issue.

Instead, contact the team privately:

  • Telegram: @DianaShuryginaBot (mark message as SECURITY: so it is escalated)
  • Response window: up to 72 hours
  • We may ask for a proof-of-concept

Scope

In scope:

  • Authentication or authorization bypass in the Mini App
  • Server-side validation bypass for taps, boosts, leagues, premium, referral
  • Payment-flow exploits (Telegram Stars / TON)
  • XSS, SSRF, RCE, SQL-injection in any of our public-facing services
  • Leakage of secrets, keys, or personal data

Out of scope:

  • Reports based on theoretical attacks without a working proof
  • Social-engineering, phishing, physical attacks
  • Brute-force, DoS, volumetric attacks
  • Vulnerabilities in third-party services we use (report them to the provider)

Disclosure

Once a fix is deployed we will publicly acknowledge the researcher (unless anonymity is requested) and add an entry to the project changelog.

The team does not currently run a paid bug-bounty programme but reserves the right to issue a discretionary thank-you bonus in $SHURYGINA for high-impact reports.

There aren't any published security advisories