NO SHORTCUTSStudio

Vulnerability Disclosure Policy

Last updated: March 2026

1. Overview

No Shortcuts Studio takes the security of our systems, services, and player data seriously. We welcome and encourage security researchers to help us improve the security of our products by responsibly disclosing vulnerabilities.

2. Scope

This policy applies to the following assets:

  • noshortcuts.studio and all subdomains
  • noshortcuts.gg and all subdomains
  • projectelysia.com and all subdomains
  • eligibled.com and all subdomains (app., api.)
  • Any No Shortcuts Studio game client or service

3. Out of Scope

The following are explicitly out of scope:

  • Social engineering attacks against employees or contractors
  • Denial of service (DoS/DDoS) attacks
  • Brute force attacks on authentication endpoints
  • Vulnerabilities in third-party services or providers we use
  • Physical security issues
  • Automated scanning without prior authorization

4. Rules of Engagement

When conducting security research, please adhere to the following rules:

  • Do not access, modify, or delete data belonging to other users
  • Do not exfiltrate data — demonstrate proof of concept with minimal data access
  • Do not perform denial-of-service attacks
  • Do not perform social engineering against our staff or users
  • Do not test accounts you do not own without explicit authorization
  • Make a good-faith effort to avoid privacy violations and service degradation
  • Stop testing and report immediately if you encounter sensitive user data

5. How to Report

Please send your vulnerability report to security@noshortcuts.studio with the following information:

  • Recommended subject line: [VULN] Short description
  • Description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Affected URLs, endpoints, or services
  • Any supporting evidence (screenshots, logs, proof-of-concept)

6. Coordinated Disclosure

We ask that you follow coordinated disclosure practices:

  • Do not publicly disclose the vulnerability before we have had reasonable time to address it
  • We aim to provide an initial response within 72 hours of your report
  • We will work with you to determine an appropriate disclosure timeline
  • We typically request a minimum of 90 days to remediate critical issues before public disclosure

7. Our Commitment

  • We will acknowledge receipt of your report within 72 hours
  • We will provide an estimated timeline for resolution
  • We will keep you informed of our progress
  • We will not pursue legal action against researchers acting in good faith and following these guidelines
  • We will credit researchers who wish to be acknowledged

8. Credit & Hall of Fame

We believe in recognizing the valuable contributions of security researchers. With your permission, we will acknowledge your contribution in our security credits. If you prefer to remain anonymous, we will respect that choice.

9. Contact

Security reports: security@noshortcuts.studio

General inquiries: contact@noshortcuts.studio