Security
PlayCanvas is part of Snap Inc. and security vulnerabilities affecting PlayCanvas services are handled through Snap's HackerOne bug bounty program.
We take the security of our platform seriously and welcome reports from security researchers. If you believe you've found a vulnerability in any PlayCanvas service, please report it responsibly via HackerOne — qualifying reports may be eligible for a bounty.
How to Report a Vulnerability
Submit your report through Snap's HackerOne program:
Report a vulnerability on HackerOne →
HackerOne is the official channel for security reports — please don't email PlayCanvas or Snap support. Reports submitted through HackerOne reach our security team directly and are eligible for the bounty program.
In-Scope PlayCanvas Domains
The following PlayCanvas domains are in scope for the bug bounty program:
| Domain | Purpose |
|---|---|
playcanvas.com | Main website, dashboard, and Editor |
developer.playcanvas.com | Developer documentation (this site) |
forum.playcanvas.com | Community forum |
launch.playcanvas.com | App launch / preview server |
login.playcanvas.com | Authentication service |
msg.playcanvas.com | Messaging service |
relay.playcanvas.com | Real-time message relay |
rt.playcanvas.com | Real-time collaboration server |
store.playcanvas.com | Asset store |
playcanv.as | Published apps hosting |
For the most up-to-date scope, eligibility rules, and full program policy, refer to the official HackerOne policy and scopes page.
Responsible Disclosure
When reporting a vulnerability, please:
- Submit through HackerOne — this is the only supported channel for security reports.
- Provide clear reproduction steps — include URLs, request/response examples, screenshots, or proof-of-concept code where relevant.
- Avoid disrupting services — do not perform denial-of-service testing, spam users, or access data that doesn't belong to you.
- Allow time to remediate — give us a reasonable window to investigate and fix the issue before any public disclosure.
Non-Security Issues
For functional bugs, feature requests, and general questions, please use the appropriate channel instead:
- Engine, Editor, or other open source bugs — file an issue on the relevant GitHub repository.
- Account, billing, or platform questions — see Account Management.
- Help and discussion — visit the Forum or Discord.
Thank you for helping keep PlayCanvas and its users safe.