[{"id":3763510,"new_policy":"***Please limit the amount of requests to max 50/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n# S3 bucket takeovers are temporarily out-of-scope.\n#Other type of subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n#Employee Credentials leaked(working credentials) will be rewarded with 250$ unless additional impact will be demonstrated.\n# IDOR/BAC vulnerabilities on SOCIAL Functionality is out of scope\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":false,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"S3 bucket takeover\",\"details\":\"Subdoamin takeover via S3 buckets is temporarily out of scope\"}"],"timestamp":"2025-09-24T08:59:37.052Z"},{"id":3763509,"new_policy":"***Please limit the amount of requests to max 50/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n# S3 bucket takeovers are temporarily out-of-scope.\n#Other type of subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n#Employee Credentials leaked(working credentials) will be rewarded with 250$ unless additional impact will be demonstrated.\n# IDOR/BAC vulnerabilities on SOCIAL Functionality is out of scope\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"S3 bucket takeover\",\"details\":\"Subdoamin takeover via S3 buckets is temporarily out of scope\"}"],"timestamp":"2025-09-24T08:46:26.680Z"},{"id":3742372,"new_policy":"***Please limit the amount of requests to max 50/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n# S3 bucket takeovers are temporarily out-of-scope.\n#Other type of subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n#Employee Credentials leaked(working credentials) will be rewarded with 250$ unless additional impact will be demonstrated.\n# IDOR/BAC vulnerabilities on SOCIAL Functionality is out of scope\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"S3 bucket takeover\",\"details\":\"Subdoamin takeover via S3 buckets is temporarily out of scope\"}"],"timestamp":"2024-10-18T07:52:37.187Z"},{"id":3738315,"new_policy":"***Please limit the amount of requests to max 50/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n# S3 bucket takeovers are temporarily out-of-scope.\n#Other type of subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n#Employee Credentials leaked(working credentials) will be rewarded with 500$ unless additional impact will be demonstrated.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"S3 bucket takeover\",\"details\":\"Subdoamin takeover via S3 buckets is temporarily out of scope\"}"],"timestamp":"2024-09-10T12:24:50.644Z"},{"id":3710413,"new_policy":"***Please limit the amount of requests to max 50/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\n#Subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n#Employee Credentials leaked(working credentials) will be rewarded with 500$ unless additional impact will be demonstrated.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-09T08:23:11.113Z"},{"id":3710412,"new_policy":"***Please limit the amount of requests to max 100/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\n#Subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n#Employee Credentials leaked(working credentials) will be rewarded with 500$ unless additional impact will be demonstrated.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 1 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-09T08:22:52.821Z"},{"id":3707975,"new_policy":"***Please limit the amount of requests to max 100/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n#Please stop reporting the /metric path exposed as a vulnerability, we've received many reports about this and we're working on a global fix at the moment.\n#Subdomain takeovers will be rewarded with 500$ unless additional  impact will be demonstrated.\n# wordpress repair.php file exposed vulnerability is out of scope for the moment. We're running an internal investigation to fix all the vulnerable endpoints.\n#Employee Credentials leaked(working credentials) will be rewarded with 500$ unless additional impact will be demonstrated.\n#CVE-2023-29489 XSS in cPanel  is OOS, most of our cPanels are owned and managed by 3rd party.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-24T08:56:06.391Z"},{"id":3703235,"new_policy":"***Please limit the amount of requests to max 100/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n#Please stop reporting the /metric path exposed as a vulnerability, we've received many reports about this and we're working on a global fix at the moment.\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n#Subdomain takeovers will be rewarded with 1000$ unless additional  impact will be demonstrated.\n# wordpress repair.php file exposed vulnerability is out of scope for the moment. We're running an internal investigation to fix all the vulnerable endpoints.\n#Employee Credentials leaked will be rewarded with 500$ where impact is proven.\n#CVE-2023-29489 XSS in cPanel  is OOS, most of our cPanels are owned and managed by 3rd party.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-22T11:36:03.130Z"},{"id":3700397,"new_policy":"***Please limit the amount of requests to max 100/second*** \n***Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners***\n***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n#Please stop reporting the /metric path exposed as a vulnerability, we've received many reports about this and we're working on a global fix at the moment.\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n# wordpress repair.php file exposed vulnerability is out of scope for the moment. We're running an internal investigation to fix all the vulnerable endpoints.\n#Employee Credentials leaked will be rewarded with 500$ where impact is proven.\n#CVE-2023-29489 XSS in cPanel  is OOS, most of our cPanels are owned and managed by 3rd party.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-25T08:22:50.720Z"},{"id":3700226,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n#Please stop reporting the /metric path exposed as a vulnerability, we've received many reports about this and we're working on a global fix at the moment.\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n# wordpress repair.php file exposed vulnerability is out of scope for the moment. We're running an internal investigation to fix all the vulnerable endpoints.\n#Employee Credentials leaked will be rewarded with 500$ where impact is proven.\n#CVE-2023-29489 XSS in cPanel  is OOS, most of our cPanels are owned and managed by 3rd party.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-22T11:41:07.362Z"},{"id":3690488,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n# wordpress repair.php file exposed vulnerability is out of scope for the moment. We're running an internal investigation to fix all the vulnerable endpoints.\n#Employee Credentials leaked will be rewarded between 100 - 1000$, based on the impact.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro/magicjackpot.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-06T14:13:34.989Z"},{"id":3690367,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n#Employee Credentials leaked will be rewarded between 100 - 1000$, based on the impact.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-05T07:38:22.908Z"},{"id":3690146,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nYou can contact us anytime for questions or support: security@superbet.com\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-29T15:34:35.971Z"},{"id":3689932,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nWe've heard your feedback! Here are some testing accounts for superbet.ro main application\nAll the testing accounts are verified and the only restriction on them is Deposit/withdrawal:\nsynack1 - rNc7pGnzxaWRaK\nsynack2 - tQWdwGX4B5agoe\nsynack3 - 2hZHsnFhZPTT3D\nsynack4 - 6qE8ZG8JQgSWCU\nsynack5 - yfjzvoWLYZn4GM\nsynack6 - JUKzSYr626V7zZ\nsynack7 - VMs8C4txt3hNzQ\nsynack8 - LyEb8vuuRRgiXd\nsynack9 - KZkfiVXrHZ3JxX\nsynack10 - 6sphJVv3PFp8mB\n\n#Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-26T14:00:27.718Z"},{"id":3689455,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n# Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-16T10:04:02.606Z"},{"id":3681630,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\n# Reflected XSS and DOM XSS will be rewarded 100$ unless additional impact will be demonstrated.\n# Please do not use automated scanners on \"Virtual betting ticket generator\"(the bar-code generator of tickets which can only be used in our agencies)\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 4th of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-04T10:45:35.884Z"},{"id":3681629,"new_policy":"***All our LOGIN services are out of scope for the moment. Please review our Policy page.\nAny bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.***\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 4th of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-04T10:24:46.681Z"},{"id":3681597,"new_policy":"***We are pausing the program for the holiday period and we are resuming on the 4th of January. Happy holidays everyone!***\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 4th of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-03T12:17:57.118Z"},{"id":3681596,"new_policy":"***We are pausing the program for the holiday period and we are resuming on the 4th of January. Happy holidays everyone!***\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 3rd of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-03T12:17:35.964Z"},{"id":3681524,"new_policy":"***We are pausing the program for the holiday period and we are resuming on the 3rd of January. Happy holidays everyone!***\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 3rd of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-23T15:01:22.865Z"},{"id":3681523,"new_policy":"***Merry Christmas everybody !!!***\n***We're resuming on 03/01/2023 !!!***\n***Stay tuned for big surprises to come***\n\nSuperbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 3rd of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-23T14:50:32.547Z"},{"id":3681505,"new_policy":"Superbet looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 3rd of January.```\n\nSuperbet will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-22T13:18:00.690Z"},{"id":3681495,"new_policy":"Superbet Romania looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\n```Expect delays in the time of response, due to Holiday season, . We will try our best to meet the SLA's. Everything should come back to normal after 3rd of January.```\n\nSuperbet Romania will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Test Plan\nFor our main application ```superbet.ro``` You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.\n\n● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.\n\n# Disclosure Policy \n*  Follow HackerOne's disclosure guidelines.\n* Do not disclose information about any found vulnerabilities without express consent from Superbet.\n* Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.\n\n# Out of scope vulnerabilities\n\n### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Clickjacking on pages with no sensitive actions\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS)\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Rate limiting or bruteforce issues on non-authentication endpoints\n* Missing best practices in Content Security Policy\n* Missing HttpOnly or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n* Tabnabbing\n* Open redirect - unless an additional security impact can be demonstrated\n* Issues that require unlikely user interaction\n* Username / email enumeration\n* Descriptive error messages (e.g. stack traces, application or server errors).\n* CORS issues without a working PoC\n* Login page or one of our websites over HTTP\n*  Self XSS\n* As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Superbet Romania and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-22T08:58:48.898Z"}]