Spades LogoSpades

Security Disclosure

Last updated: January 27, 2025

We take security seriously and are committed to supporting responsible disclosure of any issues you may uncover. We ask that you give our team a chance to research and address a vulnerability before disclosing it publicly.

Reporting Security Issues

If you discover a security vulnerability in Spades, please report it to us by emailing:

security@voidworks.io

Recognition for Researchers

We believe in acknowledging the valuable contributions of security researchers who help make Spades safer for everyone. When you report a valid security issue:

  • Your name and a link to your profile of choice will be added to this security disclosures page to acknowledge your contribution
  • We will work with you to determine appropriate public recognition that respects both your preferences and responsible disclosure timelines
  • Recognition will be provided after the vulnerability has been addressed and any necessary disclosure coordination is complete

Testing Guidelines

When conducting security research on Spades, please follow these guidelines to ensure responsible testing:

Required User-Agent String

Please use the following User-Agent string while testing: spadesvrpresearcher_yourb64encodedemail

Replace yourb64encodedemail with your base64-encoded email address. This helps us identify legitimate security research traffic.

Rate Limiting

Automated scanners or tools may send up to 5 requests per second, provided the specified User-Agent is used. Please respect this limit to avoid impacting service availability for other users.

What We Ask You NOT to Do

To ensure responsible research and protect our users, please adhere to the following restrictions:

Respect User Privacy

  • If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate
  • Do not attempt to access or modify another user's account or data
  • Do not otherwise interfere with any other users' accounts

Avoid Destructive Actions

  • Do not attempt to conduct post-exploitation, including modification or destruction of data
  • Do not attempt actions that would cause interruption or degradation of Spades services
  • Do not interrupt or degrade our services

No Attacks on People

  • Do not attempt to target Spades employees or its customers, including social engineering attacks, phishing attacks or physical attacks

No Brute Force or DoS

  • Do not attempt to perform brute-force attacks or denial-of-service attacks

Act in Good Faith

  • Do not threaten or try to extort Spades
  • Do not act in bad faith and make ransom requests
  • You should simply report the vulnerability to us

Our Response Process

When you report a security issue to us, here's what you can expect:

  1. Acknowledgment: We will confirm receipt of your report within 48 hours
  2. Investigation: Our security team will investigate and validate the reported issue
  3. Communication: We will keep you informed of our progress and expected timeline for resolution
  4. Resolution: We aim to address and deploy fixes within 14 days of acknowledgment for critical issues
  5. Recognition: After resolution, we will add your name and chosen profile link to our security acknowledgments

Scope

This security disclosure policy applies to:

  • The Spades web application at https://spades.poker
  • All associated systems, networks, and services under our control
  • API endpoints and integrations used by the application

Safe Harbor

Provided you act in good faith and abide by all applicable laws and the guidelines outlined in this policy, Spades will not initiate legal action against you for any research performed in accordance with this policy.

Security Acknowledgments

We thank the following security researchers for their responsible disclosure of vulnerabilities:

Security researchers who responsibly disclose valid vulnerabilities will be listed here with their name and chosen profile link.

Data Protection

OAuth Tokens

  • We act as an OAuth client for Linear on behalf of our users. All tokens are stored encrypted at rest and transmitted over TLS 1.2+ connections.
  • Tokens are used solely to fetch and write estimation data within Linear and are never shared or sold.

Data Minimization

  • We collect only the minimum data necessary to provide core functionality.
  • No payment information or other sensitive PII is stored by Spades.

Security Best Practices

Spades follows industry-recognized guidelines (e.g. OWASP Top Ten) to safeguard our application. Key controls include:

  • Enforced TLS for all data in transit
  • Encryption of sensitive data at rest
  • Regular dependency and vulnerability scans
  • Role-based access controls for internal systems
  • Periodic third-party penetration testing

Contact Information

For security-related inquiries, please contact us at:

By participating in our security disclosure program, you acknowledge that you have read and understood this Security Disclosure policy and agree to follow the guidelines outlined above.