[{"id":3762794,"new_policy":"Flutter UK \u0026 Ireland looks forward to work with the security community to find vulnerabilities in our brands to keep our businesses and customers safe.\nThe **only brands in scope** of this program are **Betfair, Paddy Power and Sky Betting and Gaming**. Please carefully review the scope section for more details.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to triage - first line by HackerOne - 4 business days\n* Time to triage - second line by Flutter UKI - 6 business days\n* Time to bounty (from report submit date) - 8 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Recommendations\n* usage of an IP address from UK or Ireland to prevent geo-blocks\n* usage of identifiers that help to determine you are a security researcher, in logs and account details (e.g. HackerOne email alias)\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* Credential leaks unless impact is proved. Note that it's illegal (and forbidden) to attempt to login to customer accounts.\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-16T12:01:16.996Z"},{"id":3756516,"new_policy":"Flutter UK \u0026 Ireland looks forward to work with the security community to find vulnerabilities in our brands to keep our businesses and customers safe.\nThe **only brands in scope** of this program are **Betfair, Paddy Power and Sky Betting and Gaming**. Please carefully review the scope section for more details.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to triage - first line by HackerOne - 4 business days\n* Time to triage - second line by Flutter UKI - 6 business days\n* Time to bounty (from report submit date) - 8 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Recommendations\n* usage of an IP address from UK or Ireland to prevent geo-blocks\n* usage of identifiers that help to determine you are a security researcher, in logs and account details (e.g. HackerOne email alias)\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-29T08:55:57.241Z"},{"id":3756454,"new_policy":"Flutter UK \u0026 Ireland looks forward to work with the security community to find vulnerabilities in our brands to keep our businesses and customers safe.\nThe **only brands in scope** of this program are **Betfair, Paddy Power and Sky Betting and Gaming**. Please carefully review the scope section for more details.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to triage - first line by HackerOne - 4 business days\n* Time to triage - second line by Flutter UKI - 6 business days\n* Time to bounty (from report submit date) - 8 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Recommendations\n* usage of an IP address from UK or Ireland to prevent geo-blocks\n* usage of identifiers that help to determine you are a security researcher, in logs and account details (e.g. HackerOne email alias)\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-28T13:56:06.379Z"},{"id":3722438,"new_policy":"Flutter UK \u0026 Ireland looks forward to work with the security community to find vulnerabilities in our brands to keep our businesses and customers safe.\nThe **only brands in scope** of this program are **Betfair, Paddy Power and Sky Betting and Gaming**. Please carefully review the scope section for more details.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to triage - first line by HackerOne - 4 business days\n* Time to triage - second line by Flutter UKI - 6 business days\n* Time to bounty (from report submit date) - 8 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Recommendations\n* usage of an IP address from UK or Ireland to prevent geo-blocks\n* usage of identifiers that help to determine you are a security researcher, in logs and account details (e.g. HackerOne email alias)\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-03T14:19:08.662Z"},{"id":3689414,"new_policy":"Flutter UK \u0026 Ireland looks forward to work with the security community to find vulnerabilities in our brands to keep our businesses and customers safe.\nThe **only brands in scope** of this program are **Betfair, Paddy Power and Sky Betting and Gaming**. Please carefully review the scope section for more details.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 4 business days\n* Time to bounty (from report submit) - 6 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Recommendations\n* usage of an IP address from UK or Ireland to prevent geo-blocks\n* usage of identifiers that help to determine you are a security researcher, in logs and account details (e.g. HackerOne email alias)\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-15T15:41:20.340Z"},{"id":3689413,"new_policy":"Flutter UK \u0026 Ireland looks forward to work with the security community to find vulnerabilities in our brands to keep our businesses and customers safe.\nThe **only brands in scope** of this program are **Betfair, Paddy Power and Sky Betting and Gaming**. Please carefully review the scope section for more details.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 4 business days\n* Time to bounty (from report submit) - 6 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-15T15:34:47.200Z"},{"id":3659659,"new_policy":"Flutter UK \u0026 Ireland looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nFlutter UK \u0026 Ireland will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 4 business days\n* Time to bounty (from triage) - 6 business days\n\nWe’ll keep you informed about your reports’ state throughout the process.\n\n# Responsible Disclosure \u0026 Credit\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n* Any information you receive or collect about us, our affiliates, users, employees or agents must be kept confidential. It’s strictly prohibited to use, disclose or distribute any such information. \n* Written permission from Flutter UK\u0026I is required for the disclosure of any vulnerability found. Disclosure requests must be submitted through the HackerOne platform.\n\n# Program Rules\n* You must be 18 years of age or older and meet the other eligibility and verification criteria to use our services, as outlined in our General Terms \u0026 Conditions available at https://support.skybet.com/s/article/Sky-Betting-and-Gaming-General-Terms-Conditions , https://www.betfair.com/aboutUs/Terms.and.Conditions/ and https://www.paddypower.com/aboutUs/Terms.and.Conditions/.\n* In connection with your participation in this program you agree to comply with all applicable local and national laws.\n* You must use your own account (or a dedicated test account) for testing or research purposes. Do not attempt to gain access to another user's account or confidential information. To prove cross-user account access both accounts must be registered to yourself.\n* Make a good faith effort to avoid privacy violations and destruction of data. Only interact with accounts you own. Also, any operation that leads to the interruption or degradation of our services is explicitly forbidden. \n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed if limited to 5 requests per second. \n* Minimize the mayhem. For instance, when testing for a command injection vulnerability, it is sufficient to show the output of the id or hostname commands, and you should stop the exploitation at this point.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue it won’t be eligible for a reward.\n* Submit one vulnerability per report, unless you can chain vulnerabilities to increase impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty (e.g. multiple domains that point to the same component, general caching vulnerabilities, etc.). Only the first report will be valid, the other reports will be closed as duplicates.\n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n\n# Out of scope vulnerabilities\nThe following issues are considered out of scope and won’t be eligible for a bounty:\n* Security issues/best practices that can’t be exploited with real impact (e.g. outdated service, missing cookie flags, clickjacking/CSRF on endpoints with no sensitive actions/data, lack of DKIM/DMARC/SPF, etc.). All reports require a working PoC exploit to be considered valid. For example, a lack of bruteforce protection report requires a PoC with your own account where the password is successfully guessed after 100 failed attempts (using a wordlist with 100 random words before your own testing password).\n* WordPress issues without real impact such as user enumeration and the presence of Xmlrpc.php (https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue).\n* Attacks requiring MitM or physical access to a user's device (e.g. lack of TLS protection on non-sensitive HTTP communication, etc.).\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection.\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n\nThank you for helping keep Flutter UK\u0026I and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-07T08:01:45.743Z"},{"id":3640873,"new_policy":"Paddy Power Betfair looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nPaddy Power Betfair will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 4 business days\n* Time to bounty (from triage) - 6 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed, if they respect the limit of 5 requests per second. \n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Bypassing CloudFlare (CF) protection by using a PPB IP as destination IP, instead of a PPB domain, is out-of-scope as we are migrating applications to CF and, consequently, that might happen temporarily for a short period of time. This is just referring to the bypass itself. If you do find a vulnerability in a PPB application, that can be accepted as valid.\n* Clickjacking on pages with no sensitive actions.\n* Secure and HTTP only flags in cookies.\n* Security issues reported without any exploitation (ex. outdated service)\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Lack of security configuration best practices without a working Proof of Concept demonstrating an exploitable scenario (ex. CSP or HSTS, Pinning)\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Configuration best practices like DKIM, SPF or similar without direct impact for the company\n* Username/email enumeration\n* Any vulnerabilities in Betfair Australia hosts (Betfair Australia is not part of PPB group)\n* Any vulnerabilities in Betfair US hosts (Betfair US is not part of PPB group)\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection\n\nThank you for helping keep Paddy Power Betfair and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-03T11:07:23.382Z"},{"id":3636388,"new_policy":"Paddy Power Betfair looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# SLA\nPaddy Power Betfair will make a best effort to meet the following SLAs for hackers participating in our program:\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 4 business days\n* Time to bounty (from triage) - 6 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Don't use common vulnerability scanners. The search for vulnerabilities should be manual, although custom tools with automated requests are allowed, if they respect the limit of 5 requests per second. \n\nATTENTION, when analysing applications that are hosted by Cloud Service Providers (CSPs), carefully read and always oblige to the CSP Rules Of Engagement (ROE). Examples:\n- ROE for AWS: https://aws.amazon.com/security/penetration-testing/\n- ROE for Azure: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement\n- ROE for Google Cloud: https://cloud.google.com/security/overview/\n(these are just examples, always identify the CSP and follow its Rules of Engagement)\n\n# Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n* Clickjacking on pages with no sensitive actions.\n* Secure and HTTP only flags in cookies.\n* Security issues reported without any exploitation (ex. outdated service)\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Lack of security configuration best practices without a working Proof of Concept demonstrating an exploitable scenario (ex. CSP or HSTS, Pinning)\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS, DDoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Configuration best practices like DKIM, SPF or similar without direct impact for the company\n* Username/email enumeration\n* Any vulnerabilities in Betfair Australia hosts (Betfair Australia is not part of PPB group)\n* Any vulnerabilities in Betfair US hosts (Betfair US is not part of PPB group)\n* Flash based client-side vulnerabilities such as Flash XSS, Flash Open Redirect or Flash Content Injection\n\nThank you for helping keep Paddy Power Betfair and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-18T10:13:10.206Z"}]