[{"id":3723898,"new_policy":"\nNBA Vulnerability Disclosure Program\n=\n___\n\n\u0026nbsp;\n\nTable of Contents\n=\n* [Program Governance](#user-content-program-governance)\n* [Program Scope](#user-content-vdp-scope)\n* [In-Scope Vulnerabilities](#user-content-in-scope-vulnerabilities)\n* [Out of Scope Vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n* [Rules of Engagement](#user-content-rules-of-engagement)\n* [Response Targets](#user-content-response-targets)\n* [Disclosure Policy](#user-content-disclosure-policy)\n\n\n\u0026nbsp;\n\nProgram Governance\n-\n\nThe NBA is more than just a basketball company. We are a global brand operating in the sports, media, entertainment, and commerce sectors. Fueled by technology \u0026 innovation, we have created a fan-first international direct-to-consumer business, producing some of the most compelling live entertainment experiences, gaining interest from fans globally, and driving social impact/justice change in communities where we live, work, and play. \n\nThe NBA prioritizes the security of our organization and fans, and we want to recognize researchers for their efforts in helping to reduce cyber risk. Participating in the NBA’s vulnerability disclosure program is a unique opportunity to showcase your skills and earn reputation points while helping assure the security of our applications. By identifying and reporting vulnerability findings, you’ll not only contribute to the protection of our users and data, but also have the chance to gain recognition in the security community. We greatly value the positive impact of your work and thank you in advance for your contributions. Happy hacking!\n\n\n\u0026nbsp;\nVDP Scope\n-\nThe NBA has a vast infrastructure within the public domain. However, not all digital assets are owned and managed by the NBA, making it necessary to adhere to the list of in-scope assets. Please limit testing to the applications listed within the Assets section marked as in-scope. Performing security testing on applications that are not in-scope is strictly prohibited.\n\n\n\u0026nbsp;\nIn-Scope Vulnerabilities\n-\nThe NBA has adopted the OWASP Top 10 to ensure our web applications are security-hardened to top relevant risks and vulnerabilities. Our analysis will consider cyber risk triad: Confidentiality, Integrity, \u0026 Availability with the lens of business exposure and sensitive data exposed to determine a finding’s severity. The list below illustrates vulnerability types of most interest to the NBA.\n* Broken Access Control\n* Cryptographic Failures\n* Remote Code Execution (RCE)\n* Cross-Site Scripting (XSS)\n* Injection\n* Insecure Design\n* Security Misconfiguration\n* Account Takeover (ATO)\n* Vulnerable and Outdated Components\n* Identification and Authentication Failures\n* Software and Data Integrity Failures\n* Security Logging and Monitoring Failures\n* Server-Side Request Forgery (SSRF)\n\n\n\u0026nbsp;\nOut of Scope Vulnerabilities\n-\nThe following vulnerability types are out of scope and thus not accepted. \n* Denial of Service (DoS) or Distributed Denial of Service (DDoS)\n* Cache Poisoning\n* HTTP Request Smuggling\n* Server Information \u0026 Status Pages\n* SSL/TLS Best Practices\n* Reports from automated tools or scans\n* Social Engineering\n* Vulnerabilities on out-of-scope assets\n* Verbose error messages without proof of exploitability\n* Issues without clearly defined security impact\n* Self-exploitation\n* Brute forcing\n* Banner Grabbing\n* Absence of SPF/DMARC records\n* NBA ID fan account credentials\n\n\n\u0026nbsp;\nRules of Engagement\n-\n* Do not perform attacks that can lead to denial of service (DoS/DDoS)\n* Do not perform social engineering or brute-forcing attacks \n* Do not perform testing on out-of-scope assets\n* Do not perform aggressive vulnerability scans\n* Do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability\n\n\u0026nbsp;\nResponse Targets\n-\n\nThe NBA will make a best effort to meet the following response targets for hackers participating in our program. We will try to keep you informed about our progress throughout the process.\n\n|Response Target|Time (Business Days)|\n|:---|:---|\n|First Response|1 day|\n|Triage|2 days| \n|Resolution|Dependent on severity \u0026 complexity|\n\n\u0026nbsp;\nDisclosure Policy\n-\nPlease do not discuss the vulnerabilities (even if resolved) outside of the program without express consent from the NBA. The NBA strictly prohibits public storage of data discovered during security testing; all data must be secured at-rest and in-transit to assure the confidentiality of sensitive information. All researchers participating in the NBA Public Vulnerability Disclosure Program must adhere to the Disclosure Guidelines defined by HackerOne (https://www.hackerone.com/disclosure-guidelines). \n\n\u0026nbsp;\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-19T15:56:15.449Z"},{"id":3723897,"new_policy":"\nNBA Vulnerability Disclosure Program\n=\n___\n\n\u0026nbsp;\n\nTable of Contents\n=\n* [Program Governance](#user-content-program-governance)\n* [Program Scope](#user-content-vdp-scope)\n* [In-Scope Vulnerabilities](#user-content-in-scope-vulnerabilities)\n* [Out of Scope Vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n* [Rules of Engagement](#user-content-rules-of-engagement)\n* [Response Targets](#user-content-response-targets)\n* [Disclosure Policy](#user-content-disclosure-policy)\n\n\n\u0026nbsp;\n\nProgram Governance\n-\n\nThe NBA is more than just a basketball company. We are a global brand operating in the sports, media, entertainment, and commerce sectors. Fueled by technology \u0026 innovation, we have created a fan-first international direct-to-consumer business, producing some of the most compelling live entertainment experiences, gaining interest from fans globally, and driving social impact/justice change in communities where we live, work, and play. \n\nThe NBA prioritizes the security of our organization and fans, and we want to recognize researchers for their efforts in helping to reduce cyber risk. Participating in the NBA’s vulnerability disclosure program is a unique opportunity to showcase your skills and earn reputation points while helping assure the security of our applications. By identifying and reporting vulnerability findings, you’ll not only contribute to the protection of our users and data, but also have the chance to gain recognition in the security community. We greatly value the positive impact of your work and thank you in advance for your contributions. Happy hacking!\n\n\n\u0026nbsp;\nVDP Scope\n-\nThe NBA has a vast infrastructure within the public domain. However, not all digital assets are owned and managed by the NBA, making it necessary to adhere to the list of in-scope assets. Please limit testing to the applications listed below. Subdomains of the applications below are out of scope for testing. Performing security testing on applications that are not in-scope is strictly prohibited.\n* nba.com\n* wnba.com\n* gleague.nba.com\n* 2kleague.nba.com\n* bal.nba.com\n* teamportal.nba.com\n* identity.nba.com\n* core-api.nba.com\n* content-api-prod.nba.com\n* stats-trafficcop-prod.nba.com\n* cdn.nba.com\n\n\n\u0026nbsp;\nIn-Scope Vulnerabilities\n-\nThe NBA has adopted the OWASP Top 10 to ensure our web applications are security-hardened to top relevant risks and vulnerabilities. Our analysis will consider cyber risk triad: Confidentiality, Integrity, \u0026 Availability with the lens of business exposure and sensitive data exposed to determine a finding’s severity. The list below illustrates vulnerability types of most interest to the NBA.\n* Broken Access Control\n* Cryptographic Failures\n* Remote Code Execution (RCE)\n* Cross-Site Scripting (XSS)\n* Injection\n* Insecure Design\n* Security Misconfiguration\n* Account Takeover (ATO)\n* Vulnerable and Outdated Components\n* Identification and Authentication Failures\n* Software and Data Integrity Failures\n* Security Logging and Monitoring Failures\n* Server-Side Request Forgery (SSRF)\n\n\n\u0026nbsp;\nOut of Scope Vulnerabilities\n-\nThe following vulnerability types are out of scope and thus not accepted. \n* Denial of Service (DoS) or Distributed Denial of Service (DDoS)\n* Cache Poisoning\n* HTTP Request Smuggling\n* Server Information \u0026 Status Pages\n* SSL/TLS Best Practices\n* Reports from automated tools or scans\n* Social Engineering\n* Vulnerabilities on out-of-scope assets\n* Verbose error messages without proof of exploitability\n* Issues without clearly defined security impact\n* Self-exploitation\n* Brute forcing\n* Banner Grabbing\n* Absence of SPF/DMARC records\n* NBA ID fan account credentials\n\n\n\u0026nbsp;\nRules of Engagement\n-\n* Do not perform attacks that can lead to denial of service (DoS/DDoS)\n* Do not perform social engineering or brute-forcing attacks \n* Do not perform testing on out-of-scope assets\n* Do not perform aggressive vulnerability scans\n* Do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability\n\n\u0026nbsp;\nResponse Targets\n-\n\nThe NBA will make a best effort to meet the following response targets for hackers participating in our program. We will try to keep you informed about our progress throughout the process.\n\n|Response Target|Time (Business Days)|\n|:---|:---|\n|First Response|1 day|\n|Triage|2 days| \n|Resolution|Dependent on severity \u0026 complexity|\n\n\u0026nbsp;\nDisclosure Policy\n-\nPlease do not discuss the vulnerabilities (even if resolved) outside of the program without express consent from the NBA. The NBA strictly prohibits public storage of data discovered during security testing; all data must be secured at-rest and in-transit to assure the confidentiality of sensitive information. All researchers participating in the NBA Public Vulnerability Disclosure Program must adhere to the Disclosure Guidelines defined by HackerOne (https://www.hackerone.com/disclosure-guidelines). \n\n\u0026nbsp;\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-19T15:55:25.687Z"},{"id":3710277,"new_policy":"\nNBA Vulnerability Disclosure Program\n=\n___\n\n\u0026nbsp;\n\nTable of Contents\n=\n* [Program Governance](#user-content-program-governance)\n* [Program Scope](#user-content-vdp-scope)\n* [In-Scope Vulnerabilities](#user-content-in-scope-vulnerabilities)\n* [Out of Scope Vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n* [Rules of Engagement](#user-content-rules-of-engagement)\n* [Response Targets](#user-content-response-targets)\n* [Disclosure Policy](#user-content-disclosure-policy)\n\n\n\u0026nbsp;\n\nProgram Governance\n-\n\nThe NBA is more than just a basketball company. We are a global brand operating in the sports, media, entertainment, and commerce sectors. Fueled by technology \u0026 innovation, we have created a fan-first international direct-to-consumer business, producing some of the most compelling live entertainment experiences, gaining interest from fans globally, and driving social impact/justice change in communities where we live, work, and play. \n\nThe NBA prioritizes the security of our organization and fans, and we want to recognize researchers for their efforts in helping to reduce cyber risk. Participating in the NBA’s vulnerability disclosure program is a unique opportunity to showcase your skills and earn reputation points while helping assure the security of our applications. By identifying and reporting vulnerability findings, you’ll not only contribute to the protection of our users and data, but also have the chance to gain recognition in the security community. We greatly value the positive impact of your work and thank you in advance for your contributions. Happy hacking!\n\n\n\u0026nbsp;\nVDP Scope\n-\nThe NBA has a vast infrastructure within the public domain. However, not all digital assets are owned and managed by the NBA, making it necessary to adhere to the list of in-scope assets. Please limit testing to the applications listed below. Subdomains of the applications below are out of scope for testing. Performing security testing on applications that are not in-scope is strictly prohibited.\n* nba.com\n* wnba.com\n* gleague.nba.com\n* 2kleague.nba.com\n* bal.nba.com\n* teamportal.nba.com\n* identity.nba.com\n* core-api.nba.com\n* content-api-prod.nba.com\n* stats-trafficcop-prod.nba.com\n* cdn.nba.com\n\n\n\u0026nbsp;\nIn-Scope Vulnerabilities\n-\nThe NBA has adopted the OWASP Top 10 to ensure our web applications are security-hardened to top relevant risks and vulnerabilities. Our analysis will consider cyber risk triad: Confidentiality, Integrity, \u0026 Availability with the lens of business exposure and sensitive data exposed to determine a finding’s severity. The list below illustrates vulnerability types of most interest to the NBA.\n* Broken Access Control\n* Cryptographic Failures\n* Remote Code Execution (RCE)\n* Cross-Site Scripting (XSS)\n* Injection\n* Insecure Design\n* Security Misconfiguration\n* Account Takeover (ATO)\n* Vulnerable and Outdated Components\n* Identification and Authentication Failures\n* Software and Data Integrity Failures\n* Security Logging and Monitoring Failures\n* Server-Side Request Forgery (SSRF)\n\n\n\u0026nbsp;\nOut of Scope Vulnerabilities\n-\nThe following vulnerability types are out of scope and thus not accepted. \n* Denial of Service (DoS) or Distributed Denial of Service (DDoS)\n* Cache Poisoning\n* HTTP Request Smuggling\n* Server Information \u0026 Status Pages\n* SSL/TLS Best Practices\n* Reports from automated tools or scans\n* Social Engineering\n* Vulnerabilities on out-of-scope assets\n* Verbose error messages without proof of exploitability\n* Issues without clearly defined security impact\n* Self-exploitation\n* Brute forcing\n* Banner Grabbing\n* Absence of SPF/DMARC records\n\n\u0026nbsp;\nRules of Engagement\n-\n* Do not perform attacks that can lead to denial of service (DoS/DDoS)\n* Do not perform social engineering or brute-forcing attacks \n* Do not perform testing on out-of-scope assets\n* Do not perform aggressive vulnerability scans\n* Do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability\n\n\u0026nbsp;\nResponse Targets\n-\n\nThe NBA will make a best effort to meet the following response targets for hackers participating in our program. We will try to keep you informed about our progress throughout the process.\n\n|Response Target|Time (Business Days)|\n|:---|:---|\n|First Response|1 day|\n|Triage|2 days| \n|Resolution|Dependent on severity \u0026 complexity|\n\n\u0026nbsp;\nDisclosure Policy\n-\nPlease do not discuss the vulnerabilities (even if resolved) outside of the program without express consent from the NBA. The NBA strictly prohibits public storage of data discovered during security testing; all data must be secured at-rest and in-transit to assure the confidentiality of sensitive information. All researchers participating in the NBA Public Vulnerability Disclosure Program must adhere to the Disclosure Guidelines defined by HackerOne (https://www.hackerone.com/disclosure-guidelines). \n\n\u0026nbsp;\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-05T14:34:19.403Z"},{"id":3705256,"new_policy":"\nNBA Vulnerability Disclosure Program\n=\n___\n\n\u0026nbsp;\n\nTable of Contents\n=\n* [Program Governance](#user-content-program-governance)\n* [Program Scope](#user-content-vdp-scope)\n* [In-Scope Vulnerabilities](#user-content-in-scope-vulnerabilities)\n* [Out of Scope Vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n* [Rules of Engagement](#user-content-rules-of-engagement)\n* [Response Targets](#user-content-response-targets)\n* [Disclosure Policy](#user-content-disclosure-policy)\n\n\n\u0026nbsp;\n\nProgram Governance\n-\n\nThe NBA is more than just a basketball company. We are a global brand operating in the sports, media, entertainment, and commerce sectors. Fueled by technology \u0026 innovation, we have created a fan-first international direct-to-consumer business, producing some of the most compelling live entertainment experiences, gaining interest from fans globally, and driving social impact/justice change in communities where we live, work, and play. \n\nThe NBA prioritizes the security of our organization and fans, and we want to recognize researchers for their efforts in helping to reduce cyber risk. Participating in the NBA’s vulnerability disclosure program is a unique opportunity to showcase your skills and earn reputation points while helping assure the security of our applications. By identifying and reporting vulnerability findings, you’ll not only contribute to the protection of our users and data, but also have the chance to gain recognition in the security community. We greatly value the positive impact of your work and thank you in advance for your contributions. Happy hacking!\n\n\n\u0026nbsp;\nVDP Scope\n-\nThe NBA has a vast infrastructure within the public domain. However, not all digital assets are owned and managed by the NBA, making it necessary to adhere to the list of in-scope assets. Please limit testing to the applications listed below. Subdomains of the applications below are out of scope for testing. Performing security testing on applications that are not in-scope is strictly prohibited.\n* nba.com\n* wnba.com\n* gleague.nba.com\n* 2kleague.nba.com\n* bal.nba.com\n* teamportal.nba.com\n* identity.nba.com\n* core-api.nba.com\n* content-api-prod.nba.com\n* stats-trafficcop-prod.nba.com\n* cdn.nba.com\n\n\n\u0026nbsp;\nIn-Scope Vulnerabilities\n-\nThe NBA has adopted the OWASP Top 10 to ensure our web applications are security-hardened to top relevant risks and vulnerabilities. Our analysis will consider cyber risk triad: Confidentiality, Integrity, \u0026 Availability with the lens of business exposure and sensitive data exposed to determine a finding’s severity. The list below illustrates vulnerability types of most interest to the NBA.\n* Broken Access Control\n* Cryptographic Failures\n* Remote Code Execution (RCE)\n* Cross-Site Scripting (XSS)\n* Injection\n* Insecure Design\n* Security Misconfiguration\n* Account Takeover (ATO)\n* Vulnerable and Outdated Components\n* Identification and Authentication Failures\n* Software and Data Integrity Failures\n* Security Logging and Monitoring Failures\n* Server-Side Request Forgery (SSRF)\n\n\n\u0026nbsp;\nOut of Scope Vulnerabilities\n-\nThe following vulnerability types are out of scope and thus not accepted. \n* Denial of Service (DoS) or Distributed Denial of Service (DDoS)\n* Cache Poisoning\n* Server Information \u0026 Status Pages\n* SSL/TLS Best Practices\n* Reports from automated tools or scans\n* Social Engineering\n* Vulnerabilities on out-of-scope assets\n* Verbose error messages without proof of exploitability\n* Issues without clearly defined security impact\n* Self-exploitation\n* Brute forcing\n* Banner Grabbing\n* Absence of SPF/DMARC records\n\n\u0026nbsp;\nRules of Engagement\n-\n* Do not perform attacks that can lead to denial of service (DoS/DDoS)\n* Do not perform social engineering or brute-forcing attacks \n* Do not perform testing on out-of-scope assets\n* Do not perform aggressive vulnerability scans\n* Do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability\n\n\u0026nbsp;\nResponse Targets\n-\n\nThe NBA will make a best effort to meet the following response targets for hackers participating in our program. We will try to keep you informed about our progress throughout the process.\n\n|Response Target|Time (Business Days)|\n|:---|:---|\n|First Response|1 day|\n|Triage|2 days| \n|Resolution|Dependent on severity \u0026 complexity|\n\n\u0026nbsp;\nDisclosure Policy\n-\nPlease do not discuss the vulnerabilities (even if resolved) outside of the program without express consent from the NBA. The NBA strictly prohibits public storage of data discovered during security testing; all data must be secured at-rest and in-transit to assure the confidentiality of sensitive information. All researchers participating in the NBA Public Vulnerability Disclosure Program must adhere to the Disclosure Guidelines defined by HackerOne (https://www.hackerone.com/disclosure-guidelines). \n\n\u0026nbsp;\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-16T14:05:59.901Z"},{"id":3699332,"new_policy":"\nNBA Vulnerability Disclosure Program\n=\n___\n\n\u0026nbsp;\n\nTable of Contents\n=\n* [Program Governance](#user-content-program-governance)\n* [Program Scope](#user-content-vdp-scope)\n* [In-Scope Vulnerabilities](#user-content-in-scope-vulnerabilities)\n* [Out of Scope Vulnerabilities](#user-content-out-of-scope-vulnerabilities)\n* [Rules of Engagement](#user-content-rules-of-engagement)\n* [Response Targets](#user-content-response-targets)\n* [Disclosure Policy](#user-content-disclosure-policy)\n\n\n\u0026nbsp;\n\nProgram Governance\n-\n\nThe NBA is more than just a basketball company. We are a global brand operating in the sports, media, entertainment, and commerce sectors. Fueled by technology \u0026 innovation, we have created a fan-first international direct-to-consumer business, producing some of the most compelling live entertainment experiences, gaining interest from fans globally, and driving social impact/justice change in communities where we live, work, and play. \n\nThe NBA prioritizes the security of our organization and fans, and we want to recognize researchers for their efforts in helping to reduce cyber risk. Participating in the NBA’s vulnerability disclosure program is a unique opportunity to showcase your skills and earn reputation points while helping assure the security of our applications. By identifying and reporting vulnerability findings, you’ll not only contribute to the protection of our users and data, but also have the chance to gain recognition in the security community. We greatly value the positive impact of your work and thank you in advance for your contributions. Happy hacking!\n\n\n\u0026nbsp;\nVDP Scope\n-\nThe NBA has a vast infrastructure within the public domain. However, not all digital assets are owned and managed by the NBA, making it necessary to adhere to the list of in-scope assets. Please limit testing to the applications listed below. Subdomains of the applications below are out of scope for testing. Performing security testing on applications that are not in-scope is strictly prohibited.\n* nba.com\n* wnba.com\n* gleague.nba.com\n* 2kleague.nba.com\n* bal.nba.com\n* teamportal.nba.com\n* identity.nba.com\n* core-api.nba.com\n* content-api-prod.nba.com\n* stats-trafficcop-prod.nba.com\n* cdn.nba.com\n\n\n\u0026nbsp;\nIn-Scope Vulnerabilities\n-\nThe NBA has adopted the OWASP Top 10 to ensure our web applications are security-hardened to top relevant risks and vulnerabilities. Our analysis will consider cyber risk triad: Confidentiality, Integrity, \u0026 Availability with the lens of business exposure and sensitive data exposed to determine a finding’s severity. The list below illustrates vulnerability types of most interest to the NBA.\n* Broken Access Control\n* Cryptographic Failures\n* Remote Code Execution (RCE)\n* Cross-Site Scripting (XSS)\n* Injection\n* Insecure Design\n* Security Misconfiguration\n* Account Takeover (ATO)\n* Vulnerable and Outdated Components\n* Identification and Authentication Failures\n* Software and Data Integrity Failures\n* Security Logging and Monitoring Failures\n* Server-Side Request Forgery (SSRF)\n\n\n\u0026nbsp;\nOut of Scope Vulnerabilities\n-\nThe following vulnerability types are out of scope and thus not accepted. \n* Denial of Service (DoS) or Distributed Denial of Service (DDoS)\n* Server Information \u0026 Status Pages\n* SSL/TLS Best Practices\n* Reports from automated tools or scans\n* Social Engineering\n* Vulnerabilities on out-of-scope assets\n* Verbose error messages without proof of exploitability\n* Issues without clearly defined security impact\n* Self-exploitation\n* Brute forcing\n* Banner Grabbing\n* Absence of SPF/DMARC records\n\n\u0026nbsp;\nRules of Engagement\n-\n* Do not perform attacks that can lead to denial of service (DoS/DDoS)\n* Do not perform social engineering or brute-forcing attacks \n* Do not perform testing on out-of-scope assets\n* Do not perform aggressive vulnerability scans\n* Do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability\n\n\u0026nbsp;\nResponse Targets\n-\n\nThe NBA will make a best effort to meet the following response targets for hackers participating in our program. We will try to keep you informed about our progress throughout the process.\n\n|Response Target|Time (Business Days)|\n|:---|:---|\n|First Response|1 day|\n|Triage|2 days| \n|Resolution|Dependent on severity \u0026 complexity|\n\n\u0026nbsp;\nDisclosure Policy\n-\nPlease do not discuss the vulnerabilities (even if resolved) outside of the program without express consent from the NBA. The NBA strictly prohibits public storage of data discovered during security testing; all data must be secured at-rest and in-transit to assure the confidentiality of sensitive information. All researchers participating in the NBA Public Vulnerability Disclosure Program must adhere to the Disclosure Guidelines defined by HackerOne (https://www.hackerone.com/disclosure-guidelines). \n\n\u0026nbsp;\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-02T15:05:23.386Z"}]