[{"id":3699989,"new_policy":"# About\nFertitta Entertainment, LLC manages and oversees a vibrant array of preeminent brands and establishments that are solely owned by the renowned Houston businessman Tilman Fertitta, whose extensive portfolio includes Landry’s, Golden Nugget casinos, Kemah Boardwalk, Gorio Cruises, The Post Oak Hotel, Post Oak Motors, and The Houston Rockets.\n\n{F2187810}\n\n# Welcome\nFertitta Entertainment, LLC is pleased to invite the security community to identify and report vulnerabilities keep our businesses, affiliates, partners, and customers safe.\n\n## Note for New Hackers\nIf you are new to HackerOne, welcome!\nBefore participating in Fertitta Entertainment, LLC’s vulnerability disclosure program (VDP), we strongly recommend that you first complete HackerOne’s [free Hacker101 course](https://www.hacker101.com/) and review HackerOne’s [Hacker Success Guide](https://docs.hackerone.com/hackers/hacker-success-guide.html) to ensure you have the best possible experience.\nIn addition, please familiarize yourself with our VDP policy and pay especially close attention to the **Program Rules** and **Out-of-scope Vulnerabilities** sections below so you will understand how to discover and report vulnerabilities in a safe, responsible way that does not adversely impact our systems, services, and applications.\n\n### Useful Resources\n* OWASP’s [Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/)\n* PortSwigger’s [Web Security Academy](https://portswigger.net/web-security)\n* HackTheBox Academy's [Bug Bounty Hunter Job Pathway](https://academy.hackthebox.com/module/details/161) \n * (**NOTE**: Although Fertitta Entertainment, LLC's VDP is **NOT** a bug bounty program, this pathway will help you develop a solid foundation to begin participating in our VDP.) \n\n# Response Targets\nFertitta Entertainment, LLC strives to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in Business Days |\n| :--------------- | :---------------------- |\n| First Response | 3 days |\n| Time to Triage | 6 days |\n| Time to Resolution | Depends on severity—see **Time to Resolution** below. |\n\n## Time to Resolution\nAfter your report has been validated and triaged, Fertitta Entertainment, LLC will periodically update you on our progress and work to resolve your report within a reasonable time frame that corresponds to the severity of your report:\n\n| Severity | SLA in Business Days |\n| :--------------- | :---------------------- |\n| Critical | 12 days |\n| High | 30 days |\n| Medium | 90 days |\n| Low | 180 days |\n| None | 360 days |\n\n**IMPORTANT**: These SLAs only apply to services, websites, and applications that Fertitta Entertainment, LLC directly manages. Although we are happy to receive vulnerability reports for third-party services or dependencies that are hosted on our domains and to forward them to the responsible parties for remediation, we cannot predict if and when these reports will be resolved.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Participants **MUST NOT** engage in any enumeration of systems, services, or applications **and MUST NOT** attempt exploitation of any vulnerability outside the scope of this program (see **Scope** below).\n* Please provide **clear**, **straightforward**, and **detailed** reports with **reproducible steps**. We encourage you to supply screenshots or screen recordings as needed. Reports that are not sufficiently detailed to reproduce the issue **may not be triaged**.\n* **Submit one vulnerability per report**, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* **Social engineering (e.g. phishing, vishing, smishing) is *strictly* prohibited.**\n* You are expected to perform your due diligence and to make a good faith effort to avoid privacy violations, data destruction, and any interruption or degradation of our services.\n* If an asset permits user registration, **only interact with accounts that are owned by you**.\n* Please also abide by HackerOne's [Code Of Conduct](https://www.hackerone.com/policies/code-of-conduct).\n\n## **IMPORTANT**: Mind your bandwidth usage!\n* We **strongly recommend** that you use a bandwidth monitoring tool (e.g., **NetHogs**, **Wireshark**, **vnStat**, **iftop**) and to **specify lower threads** when using command-line tools such as `gobuster`, `ffuf`, or `wfuzz` while probing our assets for vulnerabilities.\n* **DO NOT send more than 100 MB of traffic over a sixty (60) minute period.**\n* **DO NOT send more than 1 GB of traffic over a twenty-four (24) hour period to an in-scope asset.**\n* If possible, always include a custom HTTP header (`User-Agent: HackerOne VDP [Username]`) when enumerating or fuzzing our assets.\n\t* **Burp Suite**: Use the [Add Custom Header](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) Burp extension (available for both Community and Pro editions).\n\t* **cURL**, **ffuf**, **Gobuster**, and **wfuzz** all allow you to add a custom header using the `-H` flag.\n\t\t**Example:** `curl -H \"User-Agent: HackerOne VDP [Username]\" https://tilmanfertitta.com`\n\t* **Nikto** allows you to specify a custom header with the `-header` flag (don't confuse with the `-h` flag, which specifies the target URL).\n\t\t**Example**: `nikto -header \"User-Agent: HackerOne VDP [Username]\" -h https://tilmanfertitta.com`\n\n# Out of scope vulnerabilities\n**NOTE:** Please review our **Assets** section carefully — some assets have additional restrictions or may be partially or entirely out of scope.\n\nWhen reporting vulnerabilities, please consider **(1)** attack scenario / exploitability ***AND*** **(2)** security impact of the bug. The following issues are considered **out of scope**:\n* Any activity that could plausibly lead to any denial or disruption of our services, systems, or applications ([DoS/DDoS attacks](https://csrc.nist.gov/glossary/term/denial_of_service)).\n\t* Any activity that sends more than 100 MB of traffic over a sixty (60) minute period ***or*** sends more than 1 GB oftraffic over a twenty-four (24) hour period to an in-scope asset.\n* [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking) on pages with no sensitive actions.\n* [Cross Site Request Forgery (CSRF](https://owasp.org/www-community/attacks/csrf) on unauthenticated forms or forms with no sensitive actions.\n* Man-in-the-middle (MitM)/on-path attacks, as well as attacks that require physical access to a user's device.\n* Previously known vulnerable libraries without a working proof of concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Rate limiting or brute-forcing on non-authentication endpoints, as well as any brute-forcing that exceeds the **100MB/hour** and **1 GB/day** bandwidth restrictions specified above.\n* Missing best practices in Content Security Policy.\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Missing email best practices (e.g., invalid, incomplete, or missing SPF, DKIM, or DMARC records).\n* Vulnerabilities only affecting users of outdated or unpatched browsers less than two stable versions behind the latest released stable version.\n* Software version disclosure, banner identification issues, descriptive error messages/headers (e.g., stack traces,application or server errors unless the error(s) indicate an exploitable injection vulnerability).\n* [Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)\n* Open redirect (unless an additional security impact can be demonstrated).\n* Issues that require unlikely user interaction.\n\n# Safe Harbor\nActivities conducted in strict conformance with this policy will be considered authorized conduct.\n\nThank you for helping keep Fertitta Entertainment, LLC and our assets, data, personnel, and customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-16T19:00:33.257Z"},{"id":3699951,"new_policy":"# About\nFertitta Entertainment, LLC manages and oversees a vibrant array of preeminent brands and establishments that are solely owned by the renowned Houston businessman Tilman Fertitta, whose extensive portfolio includes Landry’s, Golden Nugget casinos, Kemah Boardwalk, Gorio Cruises, The Post Oak Hotel, Post Oak Motors, and The Houston Rockets.\n\n{F2187810}\n\n# Welcome\nFertitta Entertainment, LLC is pleased to invite the security community to identify and report vulnerabilities keep our businesses, affiliates, partners, and customers safe.\n\n## Note for New Hackers\nIf you are new to HackerOne, welcome!\nBefore participating in Fertitta Entertainment, LLC’s vulnerability disclosure program (VDP), we strongly recommend that you first complete HackerOne’s [free Hacker101 course](https://www.hacker101.com/) and review HackerOne’s [Hacker Success Guide](https://docs.hackerone.com/hackers/hacker-success-guide.html) to ensure you have the best possible experience.\nIn addition, please familiarize yourself with our VDP policy and pay especially close attention to the **Program Rules** and **Out-of-scope Vulnerabilities** sections below so you will understand how to discover and report vulnerabilities in a safe, responsible way that does not adversely impact our systems, services, and applications.\n\n### Useful Resources\n* OWASP’s [Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/)\n* PortSwigger’s [Web Security Academy](https://portswigger.net/web-security)\n* HackTheBox Academy's [Bug Bounty Hunter Job Pathway](https://academy.hackthebox.com/module/details/161) \n * (**NOTE**: Although Fertitta Entertainment, LLC's VDP is **NOT** a bug bounty program, this pathway will help you develop a solid foundation to begin participating in our VDP.) \n\n# Response Targets\nFertitta Entertainment, LLC strives to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in Business Days |\n| :--------------- | :---------------------- |\n| First Response | 3 days |\n| Time to Triage | 6 days |\n| Time to Resolution | Depends on severity—see **Time to Resolution** below. |\n\n## Time to Resolution\nAfter your report has been validated and triaged, Fertitta Entertainment, LLC will periodically update you on our progress and work to resolve your report within a reasonable time frame that corresponds to the severity of your report:\n\n| Severity | SLA in Business Days |\n| :--------------- | :---------------------- |\n| Critical | 12 days |\n| High | 30 days |\n| Medium | 90 days |\n| Low | 180 days |\n| None | 360 days |\n\n**IMPORTANT**: These SLAs only apply to services, websites, and applications that Fertitta Entertainment, LLC directly manages. Although we are happy to receive vulnerability reports for third-party services or dependencies that are hosted on our domains and to forward them to the responsible parties for remediation, we cannot predict if and when these reports will be resolved.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Participants **MUST NOT** engage in any enumeration of systems, services, or applications **and MUST NOT** attempt exploitation of any vulnerability outside the scope of this program (see **Scope** below).\n* Please provide **clear**, **straightforward**, and **detailed** reports with **reproducible steps**. We encourage you to supply screenshots or screen recordings as needed. Reports that are not sufficiently detailed to reproduce the issue **may not be triaged**.\n* **Submit one vulnerability per report**, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* **Social engineering (e.g. phishing, vishing, smishing) is *strictly* prohibited.**\n* You are expected to perform your due diligence and to make a good faith effort to avoid privacy violations, data destruction, and any interruption or degradation of our services.\n* If an asset permits user registration, **only interact with accounts are owned by you**.\n* Please also abide by HackerOne's [Code Of Conduct](https://www.hackerone.com/policies/code-of-conduct).\n\n## **IMPORTANT**: Mind your bandwidth usage!\n* We **strongly recommend** that you use a bandwidth monitoring tool (e.g., **NetHogs**, **Wireshark**, **vnStat**, **iftop**) and to **specify lower threads** when using command-line tools such as `gobuster`, `ffuf`, or `wfuzz` while probing our assets for vulnerabilities.\n* **DO NOT send more than 100 MB of traffic over a sixty (60) minute period.**\n* **DO NOT send more than 1 GB of traffic over a twenty-four (24) hour period to an in-scope asset.**\n* If possible, always include a custom HTTP header (`User-Agent: HackerOne VDP [Username]`) when enumerating or fuzzing our assets.\n\t* **Burp Suite**: Use the [Add Custom Header](https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc) Burp extension (available for both Community and Pro editions).\n\t* **cURL**, **ffuf**, **Gobuster**, and **wfuzz** all allow you to add a custom header using the `-H` flag.\n\t\t**Example:** `curl -H \"User-Agent: HackerOne VDP [Username]\" https://tilmanfertitta.com`\n\t* **Nikto** allows you to specify a custom header with the `-header` flag (don't confuse with the `-h` flag, which specifies the target URL).\n\t\t**Example**: `nikto -header \"User-Agent: HackerOne VDP [Username]\" -h https://tilmanfertitta.com`\n\n# Out of scope vulnerabilities\n**NOTE:** Please review our **Assets** section carefully — some assets have additional restrictions or may be partially or entirely out of scope.\n\nWhen reporting vulnerabilities, please consider **(1)** attack scenario / exploitability ***AND*** **(2)** security impact of the bug. The following issues are considered **out of scope**:\n* Any activity that could plausibly lead to any denial or disruption of our services, systems, or applications ([DoS/DDoS attacks](https://csrc.nist.gov/glossary/term/denial_of_service)).\n\t* Any activity that sends more than 100 MB of traffic over a sixty (60) minute period ***or*** sends more than 1 GB oftraffic over a twenty-four (24) hour period to an in-scope asset.\n* [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking) on pages with no sensitive actions.\n* [Cross Site Request Forgery (CSRF](https://owasp.org/www-community/attacks/csrf) on unauthenticated forms or forms with no sensitive actions.\n* Man-in-the-middle (MitM)/on-path attacks, as well as attacks that require physical access to a user's device.\n* Previously known vulnerable libraries without a working proof of concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Rate limiting or brute-forcing on non-authentication endpoints, as well as any brute-forcing that exceeds the **100MB/hour** and **1 GB/day** bandwidth restrictions specified above.\n* Missing best practices in Content Security Policy.\n* Missing `HttpOnly` or `Secure` flags on cookies.\n* Missing email best practices (e.g., invalid, incomplete, or missing SPF, DKIM, or DMARC records).\n* Vulnerabilities only affecting users of outdated or unpatched browsers less than two stable versions behind the latest released stable version.\n* Software version disclosure, banner identification issues, descriptive error messages/headers (e.g., stack traces,application or server errors unless the error(s) indicate an exploitable injection vulnerability).\n* [Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)\n* Open redirect (unless an additional security impact can be demonstrated).\n* Issues that require unlikely user interaction.\n\n# Safe Harbor\nActivities conducted in strict conformance with this policy will be considered authorized conduct.\n\nThank you for helping keep Fertitta Entertainment, LLC and our assets, data, personnel, and customers safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-15T23:17:04.780Z"},{"id":3699950,"new_policy":"# About\nFertitta Entertainment, LLC manages and oversees a vibrant array of preeminent brands and establishments that are solely owned by the legendary Houston businessman Tilman Fertitta, including Landry's, Golden Nugget casinos, Kemah Boardwalk, The Post Oak Hotel, Houston Aquarium, and Houston Rockets.\n\n{F2187810}\n\n# Welcome\nFertitta Entertainment, LLC is pleased to invite the security community to identify and report vulnerabilities keep our businesses, affiliates, partners, and customers safe.\n\n# Response Targets\nFertitta Entertainment, LLC strives to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in Business Days |\n| :--------------- | :---------------------- |\n| First Response | 3 days |\n| Time to Triage | 6 days |\n| Time to Resolution | Depends on severity—see **Time to Resolution** below. |\n\n## Time to Resolution\nAfter your report has been validated and triaged, Fertitta Entertainment, LLC will periodically update you on our progress and work to resolve your report within a reasonable time frame that corresponds to the severity of your report:\n\n| Severity | SLA in Business Days |\n| :--------------- | :---------------------- |\n| Critical | 12 days |\n| High | 30 days |\n| Medium | 90 days |\n| Low | 180 days |\n| None | 360 days |\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne’s [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* **Please be mindful of your bandwidth usage!** We strongly recommend that you use a bandwidth monitoring tool (e.g., NetHogs, Wireshark, vnStat, iftop) and to use lower threads when using tools such as Gobuster or wfuzz while probing our assets for vulnerabilities. Participants **MUST NOT** send more than 100 MB of traffic over a sixty (60) minute period **AND MUST NOT** send more than 1 GB of traffic over a twenty-four (24) hour period to an in-scope asset.\n* **Participants MUST NOT** engage in any enumeration of systems, services, or applications or attempt exploitation of vulnerabilities that are not within the scope of this program** (see **Scope** below).\n* Please provide **clear**, **straightforward**, and **detailed** reports **with reproducible steps**. Reports that are not sufficiently detailed enough to reproduce the issue may not be triaged.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability and (2) security impact of the bug. The following issues are considered out of scope:\n\n\n* ***Any*** **activity that could plausibly lead to any denial or disruption of our services, systems, or applications (DoS/DDoS attacks).**\n* Clickjacking on pages with no sensitive actions.\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Man-in-the-middle (MitM)/on-path attacks, as well as attacks that require physical access to a user’s device.\n* Previously known vulnerable libraries without a working proof of concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Rate limiting or brute-force issues on non-authentication endpoints.\n* Missing best practices in Content Security Policy.\n* Missing HttpOnly or Secure flags on cookies.\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].\n* Software version disclosure, banner identification issues, descriptive error messages/headers (e.g. stack traces, application or server errors).\n* Tabnabbing.\n* Open redirect (unless an additional security impact can be demonstrated.\n* Issues that require unlikely user interaction.\n\n# Safe Harbor\nAny activities conducted in a manner strict conformance consistent with this policy will be considered authorized conduct.\n\nThank you for helping keep Fertitta Entertainment, LLC and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-15T21:26:52.586Z"}]