Security

Accounts Security

You can find answers to frequently asked questions regarding 2-Factor Authentication, passwords and general account security here. If you have any additional concerns please contact our customer support team at https://support.faceit.com/hc/en-us/requests/new

Responsible Disclosure Policy

Last updated: August 5th, 2021

If you discover any vulnerabilities or bugs in our software, websites, forums or platforms, please read and follow the process set out in this policy.

To keep improving the security and reliability of our platform, we count on the support of our very passionate and active community. We appreciate your help in finding and disclosing vulnerabilities in a responsible and structured way. We will do our best to fix them as soon as possible.

Guidance when detecting vulnerabilities

If you look for vulnerabilities, please do not:

  • break any law or regulation;
  • share details of vulnerabilities with anyone else until you have submitted a report (as explained later in this policy) and we have addressed the issue. This does not mean you cannot disclose vulnerabilities in a third party library or service that we use, to protect others who might use the same library or service. However, if that is the case, please avoid any reference to FACEIT or sharing details of any FACEIT-specific vulnerability;
  • access unnecessary, excessive or significant amounts of data;
  • modify data in our systems or access confidential or personal data about us or our users;
  • introduce any backdoors into our software, websites, forums or platforms (even if you only want to do it so you can demonstrate a vulnerability to us);
  • use high-intensity invasive or destructive scanning tools to find vulnerabilities;
  • engage in any form of brute-force or denial of service attack (e.g. overwhelming a service with a high volume of requests or cycling through combinations to guess passwords);
  • disrupt FACEIT’s services or systems, cheat or spoil games for other users; or
  • engage in social engineering, ‘phishing’ or physical attacks on FACEIT staff, users, devices or infrastructure.

We take security and our obligations, and the rights of our users and staff, very seriously. Therefore, when detecting vulnerabilities, please ensure that you do:

  • comply with data protection and other laws;
  • respect the privacy of our staff and users (and you must not, for example, share or fail to secure data accessed from our systems);
  • promptly and securely delete all data you may have accessed, at the latest, straight after you have notified us; and
  • report vulnerabilities to us straight away, as explained below.

This policy does not give you permission to take any action which is inconsistent with the law or which might cause FACEIT to breach its own obligations.

If you are unsure about any actions you are considering, please get in touch with us first using the contact details below.

How to report a vulnerability

Please email security@faceit.com and provide the following details:

  1. the service, platform, application, feature, function, IP or page which is affected or where the vulnerability can be observed;
  2. a brief description of the type of vulnerability (e.g. “XSS exploit” or “SQL injection” etc.);
  3. steps to reproduce, ideally a benign, non-destructive, proof of concept, to help ensure the report can be triaged quickly and accurately; and
  4. any recommendations you might have for resolving the issue.

When providing us with the above details, please refrain from sharing personal data of other individuals (including sharing screenshots with us which contain the personal data of other individuals).

Swag

It is not currently practical for FACEIT to offer paid bug bounties. Please do not demand financial compensation to disclose vulnerabilities.

However, in some cases, we may issue rewards, acknowledgments or swag, in exchange for your time and effort investigating & reporting vulnerabilities. Our team will decide whether contributions qualify for this on a case-by-case basis, and their decision is final.

Next steps

We aim to triage your report within 15 working days. We may then be in touch where further information is required, and otherwise we will review your submission and undertake any necessary remediation work.

We will normally notify you when the reported vulnerability is addressed, and you may be invited to confirm that the solution covers the vulnerability adequately.

We will typically also offer you the opportunity to provide feedback to us on the process including both our management of the relationship between us, as well as our approach to resolving the vulnerability. This information will be used in strict confidence to help improve the way we handle reports.

You are welcome to enquire on the status of your submission, but please avoid doing so more than once every 14 days. This allows us to focus on remediation.

Safe harbour

We consider security research, which complies with this policy, to be authorised conduct.  We will not seek prosecution of any researchers who report vulnerabilities in good faith, in accordance with this policy.

Contact details

The Privacy Team has overall responsibility for data security at FACEIT. If you have any questions, feedback or concerns about this policy, the Privacy team’s contact details are as follows:

Email address: privacy@faceit.com

Acknowledgments

As we mentioned, we appreciate the help of our very passionate and active community in improving the security and reliability of our platform. In particular, we would like to thank the following individuals: