Security Policy

Operator

Water Table Game LLC

Contact

[email protected] (forwards to founder + designated successor)

Acknowledgments

/security/acknowledgments

Canonical security.txt

/.well-known/security.txt

PGP Fingerprint

Published after the operator generates and publishes the security@ PGP key.

Scope

The following systems are in scope for responsible disclosure:

• watertablegame.com web properties and Cloudflare Workers endpoints
• api.watertablegame.com — IAP receipt validation, daily challenge, cloud-save sync
• iOS app (com.watertablegame.app) — authentication flows, parental gate, IAP, save encryption
• Android app (Google Play) — same scope as iOS
• Cloudflare R2-backed user save bundles — envelope encryption, key derivation
• App Review Mode bypass vectors — the build-flag + per-build UUIDv4 + IP-allowlist + D1-log quadruple-lock

Out of scope

• Third-party services (Apple App Store servers, Google Play servers, Cloudflare infrastructure itself)
• Social engineering of Water Table Game staff
• Volumetric denial-of-service attacks
• Automated scanner noise without a demonstrated exploitable impact
• Phase-2b community features — not yet live; no user-generated-content surface exists at Launch-1

Reward Program

No monetary bounty. This is an acknowledge-only program. We do not maintain HackerOne or Bugcrowd accounts.

What you get: The first inbound responsible disclosure that results in a valid fix receives manual recognition on /security/acknowledgments with:

• Your preferred display name (or "Anonymous" if you prefer)
• Timestamp of disclosure
• Scope of finding (e.g., "IAP receipt validation bypass")

We will not credit findings that do not result in a shipped fix, findings that were already known, or findings outside the scope above.

Disclosure Process

1. Email [email protected] with subject line [DISCLOSURE] <brief description>.
2. Include: affected system, reproduction steps, impact assessment, your preferred display name for acknowledgments.
3. We will acknowledge receipt within 7 days.
4. Coordinated disclosure window: 90 days from our acknowledgment. We ask that you do not publish details before we ship a fix or before the 90-day window expires, whichever comes first.
5. If we miss the 7-day acknowledgment, you may publish after a good-faith follow-up to the same address.

Legal Safe Harbor

Water Table Game LLC will not pursue legal action against researchers who:

• Disclose to us in good faith per this policy
• Avoid privacy violations, data destruction, or service disruption
• Do not access data beyond what is necessary to demonstrate the vulnerability
• Do not exploit a vulnerability beyond the minimum necessary to confirm its existence

We consider good-faith security research consistent with this policy to be authorized activity.

PGP-Encrypted Submissions

Encrypt sensitive disclosures to the public key at /.well-known/security-pgp.asc.

---