Our Philosophy
As part of releasing content and new features to ZARP game servers, extensive testing must be carried out to ensure the quality of these updates are to a high standard and will not introduce bugs, exploits or other defects onto our servers.
The ZARP Community Team recognises that this standard should be kept high however, sometimes this is not always possible as we may not catch all bugs or exploits during testing.
The quality and security of our systems impact the entire community and we have a duty to ensure we deliver the best possible service and experience for all members of the community. While we may identify and resolve exploits or bugs on our own, members of the community may also identify them post-release to our live servers, so we expect any and all defects to be reported to the relevant person(s) promptly.
Community Responsibility
Exploits, security flaws and game breaking bugs must be reported to the relevant person(s) as soon as possible to minimise damage inflicted upon the community. The ZARP Community Team has an expectation that you will report these defects to the relevant(s) in a timely manner.
Abuse of exploits, security flaws or game-breaking bugs is a serious offence and will result in a ban from the relevant ZARP service(s). Failure to report these defects has serious consequences and may result in game server bans, forum bans or community bans. Additionally, failure to report individuals who are actively abusing an exploit, security flaw or game breaking bug will also result in similar consequences.
Vulnerability/Flaw Categorization
In order for us to identify and reward users for their findings, we have split out vulnerabilities into various categories: Low, Medium, High and Critical. The definitions for these categories can be found below:
Low – any bug or vulnerability that causes minimal impact to gameplay or user experience i.e. clerical errors (typos), minor user interface bugs and map issues.
Medium – any bug or vulnerability that causes significant impact to gameplay or user experience i.e. missing server content, base game features not working as expected and produce LUA errors but are isolated and do not affect other systems.
High – any bug or vulnerability that causes a severe impact to gameplay or user experience i.e. exploits that present significant advantages (duplicating items, money exploits), features that do not work as expected and as a result cause other system to fail.
Critical – any bug or vulnerability that causes severe operational impact to any ZARP service(s) i.e. exploits to crash a website, security flaws to gain access to an individual's account & database injection opportunities.
In order for a reported bug/vulnerability to be categorized, it must be re-producible with a list of clear steps. The ZARP Community Team reserve the right to veto any submitted reports that fail to provide sufficient information about the vulnerability.
Rewards
For valid reports, the ZARP Community Team will identify a suitable reward within the following ranges based on a number of criteria:
Min/Max | Critical | High | Medium | Low |
Minimum | 1 booster pack | Any case of your choice on either SSRP or Pointshop | SSRP Blueprint/Weapon cases OR Pointshop Title/Effects cases | - |
Maximum | Multiple booster packs | 1 booster pack | Any case of your choice on either SSRP or Pointshop | SSRP Blueprint/Weapon cases OR Pointshop Title/Effects cases |
Please note, that reporting multiple bugs in a certain category may warrant a higher classification i.e. reporting 10 low priority bugs may result in a medium classification. The Community Team are responsible for reviewing any and all categorization changes.
Additionally, Server Owners & members of the Community Team are not eligible to receive rewards for reporting bugs or exploits.
Scope
Our current scope is limited to the following domains and services:
- zarpgaming.com, fastdl.friendlyplayers.com and sub-domains
- All official ZARP game servers (play.zarpgaming.com)
- ZARP’s official teamspeak server (ts.zarpgaming.com)
Exclusions
While researching and reporting vulnerabilities, we’d like to ask you to refrain from:
- Engaging in Denial of Service
- Spamming
- Engaging in Social engineering (including phishing) or impersonation of staff