Crate.tf

Crate.tf

Responsible Disclosure Policy

Effective date: January 28, 2026

Crate.tf (“we”, “us”, “our”) values the security of our users and our Service. If you discover a security vulnerability, we appreciate responsible, good-faith reporting so we can fix it.

This policy describes how to report vulnerabilities and what we ask you to do (and not do) while testing.

1) Scope

This policy applies to security vulnerabilities affecting:

  • Crate.tf (website, APIs/endpoints, and backend services)
  • Crate.tf infrastructure directly supporting the Service
  • Crate.tf trading orchestration (including transaction planning/reservation logic)
  • Crate.tf-owned bot integration as exposed through our Service (not Steam itself)

Out of scope (examples):

  • Vulnerabilities in Steam/Valve systems or the Steam client
  • Issues in third-party services we don’t control (report those to the vendor)
  • Social engineering attacks against users or staff
  • Physical attacks, data center attacks, or device compromise
  • “Vulnerabilities” that require you to have valid credentials you do not own
  • Spam, self-XSS, or purely theoretical issues without a demonstrable security impact

If you’re not sure whether something is in scope, report it anyway — we’ll tell you.

2) How to report a vulnerability

Please report issues to:

If email is not possible, you may contact us via our official Discord support channel, but email is preferred for sensitive details.

Include as much as you can:

  • A clear description of the issue and why it matters
  • Steps to reproduce (proof-of-concept is helpful)
  • Affected URLs/endpoints, parameters, and any relevant request/response samples
  • Impact assessment (what could an attacker do?)
  • Screenshots or logs if relevant
  • Your preferred contact info (and whether you want public credit)

3) Safe harbor for good-faith security research

We won’t pursue legal action against you for good-faith, responsible security research that complies with this policy.

To qualify for safe harbor, you must:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Stop testing and report promptly once you confirm a vulnerability
  • Not use the vulnerability to gain unfair advantage (including item gain) or harm others
  • Not publicly disclose details before we have had a reasonable opportunity to fix

This safe harbor does not apply to:

  • Any activity intended to extort, threaten, or blackmail
  • Attempts to access or modify data that isn’t yours
  • Any testing that degrades, disrupts, or denies service to users
  • Any testing that targets third-party systems (Steam/Valve) or violates their rules

4) What we ask you NOT to do

To protect users and the Service, please do not:

  • Access, download, or disclose personal data or other users’ data
  • Attempt to intercept or modify other users’ transactions
  • Exploit vulnerabilities to gain TF2 items, keys, or any advantage
  • Perform automated scanning, brute force, credential stuffing, or denial-of-service testing
  • Use bots/scripts to hammer endpoints, status polling, or pricing/catalog endpoints
  • Publicly disclose vulnerabilities before we acknowledge and fix them
  • Social engineer staff or users, or attempt to obtain privileged access

5) Testing guidelines (what IS allowed)

We generally consider the following acceptable in good faith:

  • Testing against your own account and your own data
  • Minimal proof-of-concept demonstrations that show impact without harming others
  • Reporting issues with adequate detail for us to reproduce and fix

If you need a test account or want to coordinate a controlled test, contact us first.

6) Our process and response

We aim to:

  • Acknowledge your report within a reasonable time
  • Investigate and work on a fix
  • Follow up with status updates when practical
  • Credit you publicly if you request and if it’s appropriate (optional)

Because Crate.tf is a small project, timelines may vary. High-impact vulnerabilities will be prioritized.

7) Confidentiality and public disclosure

Please keep vulnerability details confidential until:

  • We confirm the issue is fixed, or
  • We tell you it’s okay to disclose, or
  • A reasonable time has passed and we have not responded (contact us again before publishing)

If you plan to publish, we prefer coordinated disclosure with a short write-up focused on lessons learned and remediation, not exploit details.

8) No bug bounty

Crate.tf does not currently run a paid bug bounty program. However, we may offer non-monetary thanks (public credit) at our discretion.

9) Contact

[email protected] (preferred)

Discord support channel (secondary)