Vulnerability disclosure policy

Security · Effective 2026-05-03

Found something? Email security@rune.art. We acknowledge within 2 business days, follow a 90-day coordinated-disclosure default, and offer safe harbour for good-faith research under this policy.

We take the security of Perthro and our players seriously. If you've found a vulnerability that affects Perthro, we want to hear from you, and we'll work with you in good faith to fix it.

How to report

Email security@rune.art with:

A description of the issue and the impact you believe it has.
Steps to reproduce (a minimal proof-of-concept is ideal).
The affected URL, app version (Settings → About), iOS version, and account/email you tested with, if relevant.
Any scripts, screenshots, or recordings that help us see what you saw.

You can write to us in English. We'll acknowledge your report within 2 business days and aim to provide a substantive update within 10 business days. Critical issues get triaged immediately.

Scope

In scope:

The Perthro iOS app (TestFlight and any future App Store builds).
perthro.io and www.perthro.io, including all subdomains we operate.
Perthro backend services and APIs that the app talks to directly.

Out of scope:

Third-party services we integrate with (IGDB, Steam, PSN, Xbox Live, Apple sign-in, App Store / TestFlight, Cloudflare). Report those to the vendor.
Findings that require a jailbroken device, rooted environment, or physical access to an unlocked device.
Social engineering of Perthro / Rune Art staff, contractors, or users.
Denial-of-service attacks, volumetric tests, or anything that degrades service for other players.
Automated scanner output without a working proof-of-concept.
Reports about missing best-practice headers, TLS configuration, or email SPF/DMARC nuances unless paired with a concrete exploit.
Self-XSS and issues that require a victim to paste attacker-supplied content into a developer console.

What we ask of you

Only test against your own account, or accounts you have explicit permission to use.
Don't access, modify, or retain other players' data beyond the minimum needed to demonstrate the issue. If you accidentally encounter someone else's data, stop and tell us.
Don't run destructive tests, mass-automated scans, or anything that would impact availability for real users.
Give us a reasonable window to fix the issue before disclosing it publicly. 90 days is our default; we'll work with you if a faster or slower timeline makes more sense.

What you can expect from us

We'll acknowledge your report and keep you posted as we triage and fix it.
We won't pursue legal action against researchers acting in good faith under this policy. If a third party (a vendor, a payment processor) initiates action, we'll do what we reasonably can to make clear you were operating under our authorisation.
We'll credit you in the fix announcement if you'd like to be named, or keep your report confidential if you prefer.
We do not run a paid bug bounty. Perthro is a small indie shop — we'll thank you publicly (with your permission) and remember your name the next time you ship something cool.

Safe harbour

We consider security research conducted under this policy to be authorised. Activities consistent with this policy will not be treated as a violation of our Terms of Service or Community Guidelines, and we won't pursue civil or criminal action against you for it. This does not extend to:

Data exfiltration beyond what's needed to prove the issue.
Attacks on our infrastructure providers (Cloudflare, Apple) or other third parties.
Any activity that violates applicable law.

If in doubt, ask us before testing.