<p>At The Pokémon Company International, Inc.
(“TPCi”),
protecting our fans and community is a top priority.
We recognize the value
security researchers and security experts can provide to our organization as a
measure in ensuring the integrity and safety of our platform and users' data,
and welcome such disclosures.</p>
<p>For other questions and concerns related to your
Pokémon Trainer Club account or other services, please reach out to Customer
Service via Pokémon Support.
</p>
<p>
<strong>Discovering a Security Vulnerability</strong>
</p>
<p>If you believe you have discovered a security
vulnerability, we encourage you to disclose your discovery to us as quickly as
possible via the form below.
We will work with you to validate and respond to
security vulnerabilities.
Before disclosing the possible security
vulnerability, please review this page, including the Public Disclosure Policy.
Due to the sensitive nature and risk security
vulnerabilities can pose to our community, we require that you keep this
information confidential while we work with you to close the gap to ensure the
safety of our users.
In addition to confidentiality and the Code of Conduct, you must avoid any activities related
to the following:</p>
<ul>
<li>
<p>Do not attempt to access accounts that do not belong to you.</p>
</li>
<li>
<p>Do not attempt to access private information of any users.</p>
</li>
<li>
<p>Do not attempt to modify or destroy data.</p>
</li>
<li>
<p>Do not perform any type of denial-of-service attack.</p>
</li>
<li>
<p>Testing of third-party, or non-TPCi, services.
This includes The Pokémon Company, which is the parent company of TPCi.</p>
</li>
<li>
<p>Do not transmit malware, in any capacity.</p>
</li>
<li>
<p>You must comply with all applicable laws in connection with your participation in this program.</p>
</li>
<li>
<p>You must comply with the Bugcrowd Standard Disclosure Policy.</p>
</li>
</ul>
<p>
<strong>Issues not to Report</strong>
</p>
<ul>
<li>
<p>Phishing or Social Engineering techniques</p>
</li>
<li>
<p>Forms missing CSRF tokens</p>
</li>
<li>
<p>Logout CSRF</p>
</li>
<li>
<p>All Sender Policy Framework suggestions</p>
</li>
<li>
<p>Disclosure of public or known directories</p>
</li>
<li>
<p>Vulnerabilities only affecting users who are using outdated or unpatched browsers and platforms</p>
</li>
</ul>
<p>
<strong>Vulnerability Disclosure Scope</strong>
</p>
<ul>
<li>
<p>*.pokemon.com</p>
</li>
<li>
<p>pokemon.com</p>
</li>
<li>
<p>pokemoncenter.com</p>
</li>
<li>
<p>Mobile applications with “The Pokémon Company International” as the seller or developer</p>
</li>
</ul>