At Sportsbet, we continually work to protect the privacy and security of our customers, assets, information, and systems. However we acknowledge software isn’t always flawless.
If you believe you’ve discovered a potential security vulnerability within our services or products, we would like you to let us know as quickly as possible by emailing us in accordance with the ‘How to Report a Potential Security Vulnerability’ section.
Please be aware that Sportbet is unable to offer any form of compensation (including but not limited to monetary compensation or other financial benefit) for disclosure. We recognise the vulnerabilities reported by contributors by displaying their names under ‘Recognition’ section of Responsible Disclosure program.
Scope
We are interested in hearing about security vulnerabilities on all Sportsbet products and/or services, including web and mobile applications hosted on domains owned by Sportsbet.
Guidelines
We encourage you to conduct responsible security research on our products and services. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.
The following activities are strictly prohibited:
- Using leaked or compromised accounts belonging to other users. When experimenting, please only target accounts belonging to yourself
- Modifying, accessing or exfiltrating data that does not belong to youDisclosing any security issues to public, or to any third party unless Sportsbet gives you permission
- Disclosing any report submitted in relation to responsible disclosure program unless Sportsbet gives you permission
- Testing physical security of Sportsbet offices, employees, equipment etc.
- Performing DoS or DDoS attacks
- Conducting social engineering (including phishing) of Sportsbet employees, contractors or customers or any other party
- Activities that violate local or international laws
- Activities that involve destruction of data, privacy violations, interruption or degradation of Sportsbet services
- Uploading or transmitting malware or harmful software that could impact our services, products or customers
The following finding types are specifically excluded from the responsible disclosure program:
- Banner or fingerprinting disclosures on common public services
- CSRF on forms that are available to anonymous users
- Logout Cross-Site Request Forgery
- Autocomplete or save password functionality
- HTTP 404 codes or pages, or other HTTP non-200 codes or pages
- Captcha bypass or weak captcha implementation
- Open redirect vulnerabilities which use a Sportsbet subdomain and identity providers logout URL to implement a redirect
- Reporting vulnerable and outdated libraries, frameworks, modules without a valid proof of concept
- Lack of secure, HTTPOnly flags on non-sensitive cookies
- Missing HTTP security headers:
- Strict-Transport-Security (HSTS)
- Content Security Policy
- X-Frame-Options (clickjacking)
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
- Weak password policy or account lockout not enforced
- Web error messages such as server stack traces, application errors
- Self-exploitation issues (such as self XSS, cookie reuse, self-denial of service, etc)
- Reports from automated vulnerability scanners without any workable proof of concept
- Lack of rate limiting controls or absence of brute force countermeasures
- Username/email enumeration via login or forgot pages
- Enabled HTTP methods (such as OPTIONS, TRACE, DELETE, PUT, WEBDAV) without a valid attack scenario
- HTTP or DNS cache poisoning
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Content spoofing/text injection without HTML/CSS
- DNSSEC configuration
- Subdomain takeover
Out of Scope bugs for Android apps
- Absence of certificate pinning
- Lack of code obfuscation
- Lack of rooted device detection
- Lack of binary protection in android app
- User data stored unencrypted on external storage
- Sensitive data stored in app private directory
- Oauth “app-secret” hard-coded in apk file
- App crashes due to malformed intents sent due to exported activity
Out of Scope bugs for iOS apps
- Absence of certificate pinning
- Lack of code obfuscation
- Lack of jailbreak detection
- Lack of binary protection in iOS app
- User data unencrypted on the file system
- Oauth “app-secret” hard-coded in ipa file
- Path disclosure vulnerability in iOS binary
How to report a potential security vulnerability
You can responsibly disclose potential security vulnerabilities to the Sportsbet Information Security Team by emailing responsible-disclosure@sportsbet.com.au.
Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.
When reporting a potential security vulnerability, please include as much information as possible, including:
- An explanation of the potential security vulnerability
- A list of products and services that may be affected (where possible)
- Steps to reproduce the vulnerability
- Proof-of-concept code (where applicable)
- The names of any test accounts you have created (where applicable); and
- Your contact information
After you submit?
Once you have reported a security vulnerability, we will contact you within 72 hours to acknowledge your submission and keep you informed of our plans to remediate or otherwise mitigate legitimate vulnerabilities.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the security vulnerability.
If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.
Legal Points
We are unable to recognise submissions from individuals who are from countries on FAFT blacklist or who are in countries subject to UK and/or Australia sanctions.
Recognition
2024