A Safe and Trusted Place to Keep People Connected!
The goal of 3Fun Security team is to create the best security organization in the world, a private and safe place to keep people connected.
Because you entrust 3Fun with your personal information, it is our top priority to ensure the security of our application and the privacy of your data. We commit ourselves to maintaining a robust, transparent, and responsible security program.
3Fun’s Internal Security Practices
By combining industry-leading security infrastructure, responsible data practices, and security and privacy best practices to stay ahead of the evolving number of threats internet services and infrastructure are facing, the security program at 3Fun keeps our company and your data safe at all times.
Click here to see the focus of our security program.
Reporting Security Vulnerabilities
3Fun welcomes input from the security research community to advance the cause of improving the security of our applications and user data. To that end, we encourage security researchers to responsibly disclose any potential vulnerabilities uncovered to Support@go3Fun.co. Reports received through this channel will receive a prompt reply, and if you do not receive such a response, we ask that you please attempt to contact us again. To protect our users, we also request that you please refrain from sharing information about any potential vulnerabilities with anyone outside of 3Fun, until we have confirmed with you that any such vulnerability has been properly mitigated.
3Fun reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.
Participating in our Bug Bounty Program is completely voluntary. By participating in our Bug Bounty Program, submitting a report or otherwise informing us of a vulnerability ("Submission"), you acknowledge that you have read and agree to abide by the rules on this page ("Program Terms”).
If (i) you do not meet the program’s eligibility requirements below; (ii) you violate any of these Program Terms or any other agreements you have with 3Fun or its affiliates; or (iii) we determine that your participation in our Bug Bounty Program could negatively affect us, our affiliates or any of our users, employees or agents, we reserve the right to terminate your participation in the program and disqualify you from receiving any benefit of our Bug Bounty Program.
Confidentiality Click Here to know about our confidentiality terms.
Eligibility to Participate
To participate in our Bug Bounty Program, you must:
• Be at least 18 years old if you test using a 3Fun account, and otherwise be the age of majority in your jurisdiction of residence or have the consent of your parent or guardian to participate in our Bug Bounty Program. In any case, you must be over the age of 13.
• Not be a resident of, or make a Submission to our Bug Bounty Program from, a country against which the United States has issued export sanctions or other trade restrictions.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.
• Not be employed by 3Fun or any of its affiliates or an immediate family member of a person employed by 3Fun or any of its affiliates.
Depending on your country of residency and citizenship, you are responsible for any tax implications of a reward from our Bug Bounty Program.
Program Ground Rules
• Don’t mass create accounts when testing against our applications and services.
• No destructive automated testing - under no circumstance should automated testing cause intentional damage to 3Fun systems.
• Don’t engage in social engineering (e.g. phishing, vishing, smishing).
• Don’t attempt to extort us.
• Don’t leave any system in a more vulnerable state than you found it.
• Don’t publicly disclose vulnerabilities without our explicit permission.
• Do respect our users’ privacy.
• Do research vulnerabilities and disclose vulnerabilities to us in good faith.
• Do be respectful when interacting with our team.
• Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with the account owner’s explicit consent.
Bounty Eligibility
To be eligible for a reward under this program, you must:
• Send a detailed textual vulnerability description of the bug along with the steps to reproduce the vulnerability.
• Include attachments such as screenshots and proof of concept code as necessary. A clear description and proof of concept helps you prove that the security bug is legitimate and expedites the reward process.
• Be the first to report a specific vulnerability.
• Disclose the vulnerability report directly and exclusively to us. Reminder: you are not permitted to disclose vulnerabilities to third parties -- including vulnerability brokers.
• Stay in scope.
• Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. This will disqualify you from receiving a bounty.
In general, the following would not meet the threshold for inclusion:
• Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website / application
• Denial of service
• Social engineering
• Spamming
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Click-jacking, or issues only exploitable via click-jacking
• Disclosure of known public files or directories (.htaccess, robots.txt, etc)
• Third-party vulnerabilities (e.g. Wordpress) that have recently become publicly known will generally be out of scope for a period of 30 days from the public release of an official patch or workaround.
• Missing or misconfigured security headers which do not lead directly to a vulnerability
• Overly verbose responses (errors, banners, etc.), which cannot be directly used in an exploit
• Software version disclosure without proof of exploitability
• Lack of certificate pinning, or HSTS
• TLS/SSL version, configuration, weak ciphers or expired certificates
• Lack of Secure, or HTTPOnly flags on cookies
• Lack of, or weak, Captcha, or rate-limiting
• Scenarios that require unlikely user interaction and/or outdated OS or software version
• Self-XSS
• Login/Logout CSRF
• Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
• Third-party API Keys/Secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes.
• The ability to obtain multiple promotional items by opening multiple accounts
• Most GPS spoofing related issues
• Attacks against corporate IT infrastructure (e.g. firewalls and their software)
• Attacks against employees (phishing, stealing laptops, physical security issues, etc.)
• Vulnerabilities requiring physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones;
• Reports from security scanners and other testing tools
• Reports about issues in third-party applications and services
• Reports about missed headers or cookie flags;
• Reports about configuration of our mail infrastructure (incorrect SPF records, DMARK policies, and other)
• Any vulnerability found through the use of any mass scanning tool, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
Scopes
Program Updates and Licenses
We may modify the Program Terms or cancel our Bug Bounty Program at any time in our sole and absolute discretion.
As a condition of participation in our Bug Bounty Program, you hereby grant 3Fun and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Fun in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Thank you for helping keep the 3Fun community safe!
We place safety at the center of everything we do. Visit https://www.prnewswire.com/news-releases/leading-threesome-dating-app-3fun-announces-wide-ranging-safety-and-security-upgrades-301459700.html to know more about our progress.
For questions, concerns, or issues with your profile, or to report another member or profile, please visit FAQ to contact our Support team.
