FanDuel Response
External Program
Submit bugs directly to this organization
FanDuel Response
External Program
Submit bugs directly to this organization
Program guidelines
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
13 hours Average time to first response
18 hours Average time to triage
1 month, 3 weeks Average time to resolution
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
Last updated on November 26, 2025. [/fanduel-vdp/policy_versions](View changes
)
The FanDuel Cybersecurity team strives to protect the company and its valued customers from attackers who seek to compromise the confidentiality, integrity or availability of our platform. We also recognize the important role that the research community plays in bolstering our security. We look forward to working with you to identify and remediate vulnerabilities to keep our platform and its customers safe.
FanDuel’s Vulnerability Disclosure Program accepts reports of qualifying security vulnerabilities in a FanDuel product, mobile application, or website, subject to the terms of this Policy. These terms govern the Vulnerability Disclosure Program and you must comply with the rules specified herein in order for your submitted vulnerability report to qualify for FanDuel’s consideration (“Program Terms”). Please submit a report in accordance with the guidelines below that includes a detailed description of your research with clear, reproducible steps or a working proof-of-concept. During your investigation, please avoid altering existing files, file permissions, reading sensitive information or disrupting production services.
No payments under this Policy are permitted or will be considered by FanDuel. FanDuel reserves the right to modify the Program Terms, and your participation in the Program constitutes acceptance of all terms.
Thank you for your contribution!
FanDuel will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response SLA in business days First Response 5-10 days Time to Triage 5-10 days Time to Resolution depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
While we encourage you to discover and report any vulnerabilities you find in a responsible manner, the following conduct is prohibited and will result in disqualification from the Vulnerability Disclosure Program. By submitting a report to this program you agree to adhere to these guidelines.
· Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit FanDuel authorization · Disclosing the contents of any submission to this program without explicit FanDuel authorization · Accessing sensitive personally identifiable information (PII) of any person stored on a FanDuel product or service including, but not limited to, medical or health information, Social Security numbers, passport numbers, driver’s license numbers, bank account information, credit or debit card information, etc. If you encounter any PII do not proceed with access and immediately purge any local information, if applicable. · Performing actions that may negatively affect FanDuel system performance or its users (e.g. Spam, Phishing, Brute force, Distributed Denial of Service (DDoS)) · Conducting any kind of physical attack on FanDuel personnel, property or data centers · Social engineering any FanDuel employee or contractor · Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if data exfiltration would be possible from a vulnerability, and will reward with the impact in mind) · Violating any laws or breaching any agreements in order to discover vulnerabilities
· Let us know as soon as possible upon discovery of a potential security issue and we'll make every effort to quickly resolve the issue. · Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. · Please do not discuss or disclose any vulnerabilities (even resolved ones) outside of the program without express written consent from the organization. · Follow HackerOne's Disclosure Guidelines.
· Please provide detailed reports with clear steps to reproduce the behavior and concrete evidence the target is vulnerable in the way described. If the report does not provide this information, the report may be closed as Not Applicable. · Submit one vulnerability per report, unless you need to chain vulnerabilities to fully communicate impact. · When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced). · Multiple vulnerabilities caused by one underlying issue will be treated as one valid report. · Social engineering (e.g. phishing, vishing, smishing) is prohibited. · Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. · Only interact with accounts you own or with explicit permission of the account holder. · Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic are not permitted. Failure to comply may result in suspension of your FanDuel account and a ban of your IP address. · Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 50,000 requests in two minutes using Burp Suite Intruder is excessive. · Use the header X-HackerOne: [HackerOne_Username] in all traffic sent during your tests, replacing the placeholder [HackerOne_Username] with your HackerOne username. · Researchers who meet any of the following criteria are ineligible for participation: · An individual who is under the age of 18. · A resident of, or submission of a report from, any countries/regions that are under United States sanctions or trade restrictions as determined by the US Office of Foreign Assets Control (such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List. · A current employee of FanDuel or a Flutter subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee. · A contingent staff member or contractor or vendor employee currently working pursuant to a contract with FanDuel or its affiliates in the Flutter Entertainment Group, or an immediate family (parent, sibling, spouse, or child) or household member of such a contingent staff member, contractor or vendor.
FanDuel is interested in the following types of vulnerabilities: · Cross-Site Scripting (XSS) · Cross-Site Request Forgery (CSRF) · Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services) · Insecure Direct Object References · Injection Vulnerabilities · Authentication Vulnerabilities · Server-Side Code Execution · Privilege Escalation · Significant Security Misconfiguration (when not caused by user) · Directory Traversal · Information Disclosure · FanDuel applications and their associated services (specific to the FanDuel engineered/ controlled components of the product) · FanDuel reserves the right to reject any submission in its sole discretion, including any submission that it determines does not meet the above criteria or is in violation of any aspect of this policy. Submissions that entail or require the manipulation of data, network access, or physical attack against FanDuel offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. · Submissions that result in the alteration or theft of FanDuel data, or the interruption or degradation of FanDuel systems will not be accepted.
While researching, we'd ask you to refrain from: · Denial of service attacks or other activities that adversely affect the performance or delivery of FanDuel’s services and operations · Spamming · Social engineering (including phishing, impersonation or use of existing credentials), or any activities that involve coercion, harassment, threats, or intimidation of FanDuel staff or contractors · Any physical attempts against FanDuel property or the property of FanDuel customers · Exfiltrating data · Establishing command line access, a persistent presence on our systems or “pivoting” to other systems · Any activities that involve the disclosure or display to any third-parties or to the public of vulnerability report findings, including any proof of concept · Any activities that violate applicable laws and regulations
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following non-exhaustive list of issues are considered out of scope for our Vulnerability Disclosure Program: · Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps · Clickjacking on pages with no sensitive actions. · Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions · Descriptive Error Messages · Fingerprinting/Banner disclosure on common public services · Subdomain takeovers without a complete proof of concept · Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML · Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload) · Vulnerabilities related to networking protocols or industry standards not controlled by FanDuel, including flaws that impact outdated or unpatched browsers and plugins · Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by FanDuel · Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access · Attacks requiring MITM or physical access to a user's device. · Comma Separated Values (CSV) injection without demonstrating a vulnerability. · Missing best practices in SSL/TLS configuration. · SSL Attacks, such as BEAST/BREACH · Any activity that could lead to the disruption of our service (DoS). · Rate limiting or brute force issues on non-authentication endpoints · Missing best practices in Content Security Policy. · Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) · Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version) · Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors) · Tab-nabbing · Open redirect - unless an additional security impact can be demonstrated · Broken link hijacking · Mobile app vulnerabilities requiring a malicious app install to exploit · Missing email verification on sign-up. · Dark web forum credential leaks are temporarily out of scope. · Missing best-practice bugs that don’t pose a direct/immediate risk to our company or our users (e.g. missing certificate authority authorization) · Missing HTTP headers (e.g. lack of HSTS), lack of Secure or HTTP only flag on non-sensitive cookies · Username enumeration on the [*].fdbox.net/users/[userId] endpoint
· For regulatory purposes, FanDuel currently does not provide test accounts to security researchers. Researchers should create their own personal accounts on the platform for testing purposes. We recommend using your HackerOne /wearehackerone.com email address to any FanDuel account that you use to perform security research and testing. See Hacker Email Alias | HackerOne Help Center . Clearly identifying accounts that are associated with vulnerability research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our Vulnerability Disclosure Program. Please note that adding your HackerOne email address does not provide any exemptions to our Terms of Service or permit you to act beyond our Program Rules and scope. · Please keep details of reported vulnerabilities confidential until we have fixed the issue and agree on disclosure timing. After remediation we may ask you to validate the fix. We ask you to provide FanDuel with a reasonable amount of time to resolve the vulnerability. · By submitting a report, you represent and warrant that the report is original to you and your work product and does not include code or other content copied or otherwise derived from a third party (including from the output of any generative AI tool), and that you have all legal rights and permissions to provide the report to FanDuel. · You hereby assign to FanDuel all rights, title, and interest (including all intellectual property rights), in the contents of all vulnerability reports that you submit to FanDuel. By participating in the vulnerability disclosure program, you represent that you have the right to assign all such right, title and interest to us and that your participation in the vulnerability and disclosure program, and assignment of such right, title and interest will not breach any agreement you may have with a third party (e.g., your employer).
You must act in good faith when investigating and reporting vulnerabilities to us. Acting in good faith means that you will: Follow the rules outlined in this policy: This includes the Program Terms, FanDuel Terms of Use, and any terms and conditions for FanDuel’s domains that are in scope.
Respect our customers’ privacy: You should only interact with FanDuel accounts you own or with explicit permission from the account holder. The intent of the program is designed to hunt for vulnerabilities in our products and services. If you encounter user information during the course of your research: o Stop at that point in your testing where you have an adequate proof of concept for submission purposes. Actions taken beyond this are not authorized. o Report the submission with a complete proof of concept immediately so we can investigate. Please redact any real user data in your report prior to submission. o Keep user information confidential; Do not save, copy, store, transfer, disclose, or otherwise retain the information. o Work with the FanDuel team on any further requests.
Extortion: You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as by making extortion demands or ransom requests. If you find a vulnerability, report it to us with no conditions attached.
Safe Harbor: You should never leave a system, FanDuel employees or customers in a more vulnerable state than when you found them. This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam. If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Vulnerability Disclosure Program. Failure to act in good faith will result in immediate disqualification from the Vulnerability Disclosure Program. If at any point while researching a vulnerability, you are unsure whether you should continue, stop, report your initial finding(s) and request authorization to continue testing. FanDuel expressly reserves all rights not otherwise granted herein, including all legal rights in the event of noncompliance with this Policy. You shall comply with all applicable federal, state, and local laws and regulations in connection with your security research activities or other participation in this program. Actions that are not consistent with this Policy are not covered by our Safe Harbor provision and may make you legally liable.
Thank you for helping keep FanDuel and our users safe!
[/fanduel-vdp/thanks](See all hackers
)
1
/madhurchandran23?type=userReputation: 7
2
/notkilox?type=userReputation: 7
3
/mahmoudsayed984?type=userReputation: 7
4
/isacaya?type=userReputation: 7
5
/holybugx?type=userReputation: 7
6
/khaleduualed?type=userReputation: 7
7
/maskirovka21?type=userReputation: 7
8
/d0dx?type=userReputation: 7
9
/ghaddarittoo?type=userReputation: 2
10
/security-var?type=userReputation: 0
11
/a0xtrojan?type=userReputation: 0
12
/mahashivaratri?type=userReputation: 0
FanDuel Response
http://fanduel.com FanDuel is the premier mobile gaming company in the US, from America’s #1 Sportsbook to leading in iGaming, horse racing, and daily fantasy sports. Vulnerability Disclosure Program launched in Nov 2025
Response efficiency: 98%
[/fanduel-vdp/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Reports received | 90 days | 10 | Last report resolved | 2 months ago | Reports resolved | 9 | Hackers thanked | 12 | Assets In Scope | 1 |
© HackerOne