Reporting Vulnerabilities

If you've discovered a security vulnerability in Windrose game infrastructure, please report it to legal@meridianone.com.

Scope

The following Windrose-operated services are in scope:

• playwindrose.com (main website)
• *.windrose.support (game infrastructure: API gateways, TURN relays)
• The Windrose game client

The following are out of scope:

• Third-party services we use (Steam, AWS, Cloudflare, etc.)
• Social media accounts
• Issues affecting only outdated game client versions

What to include in your report

• Description of the vulnerability and its impact
• Steps to reproduce
• Affected version/endpoint
• Your contact information for follow-up

What we ask

• Give us reasonable time to fix the issue before public disclosure
• Don't access, modify, or delete data that doesn't belong to you
• Don't perform DoS testing against production systems
• Act in good faith

What we offer

• Updates as we investigate and remediate

We don't currently run a paid bug bounty program, but we do appreciate responsible disclosure.

Disclaimer

We appreciate and welcome responsible disclosure of security vulnerabilities. However, please note that:

• Submission of a vulnerability report does not create any obligation on our part to provide compensation, rewards, or any form of payment.
• We do not guarantee that all reported vulnerabilities will be acknowledged, prioritized, or remediated.
• We reserve the right to determine, at our sole discretion, the validity, severity, and impact of any reported issue.
• We may choose not to respond to reports that fall outside the defined scope or do not meet responsible disclosure guidelines.
• This policy does not create any contractual relationship or legal entitlement between the reporter and the company.

Contact: legal@meridianone.com