I found a vulnerability in their web server that handles their equivalent of game add-ons. I found an authorization bypass that allowed me to look at their admin interface for managing add-ons
I messaged Gary about it on their discord but never got a response. They patched it right after though