If you discover a security issue in any of our services — the bot (@DianaShuryginaBot), the Mini App, the landing at shurygina.com, or the $SHURYGINA token deployment — please do not open a public issue.
Instead, contact the team privately:
- Telegram: @DianaShuryginaBot (mark message as
SECURITY:so it is escalated) - Response window: up to 72 hours
- We may ask for a proof-of-concept
In scope:
- Authentication or authorization bypass in the Mini App
- Server-side validation bypass for taps, boosts, leagues, premium, referral
- Payment-flow exploits (Telegram Stars / TON)
- XSS, SSRF, RCE, SQL-injection in any of our public-facing services
- Leakage of secrets, keys, or personal data
Out of scope:
- Reports based on theoretical attacks without a working proof
- Social-engineering, phishing, physical attacks
- Brute-force, DoS, volumetric attacks
- Vulnerabilities in third-party services we use (report them to the provider)
Once a fix is deployed we will publicly acknowledge the researcher (unless anonymity is requested) and add an entry to the project changelog.
The team does not currently run a paid bug-bounty programme but reserves the right to issue a discretionary thank-you bonus in $SHURYGINA for high-impact reports.