About
Fertitta Entertainment, LLC manages and oversees a vibrant array of preeminent brands and establishments that are solely owned by the renowned Houston businessman Tilman Fertitta, whose extensive portfolio includes Landry’s, Golden Nugget casinos, Kemah Boardwalk, Gorio Cruises, The Post Oak Hotel, Post Oak Motors, and The Houston Rockets.
{F2187810}
Welcome
Fertitta Entertainment, LLC is pleased to invite the security community to identify and report vulnerabilities keep our businesses, affiliates, partners, and customers safe.
Note for New Hackers
If you are new to HackerOne, welcome!
Before participating in Fertitta Entertainment, LLC’s vulnerability disclosure program (VDP), we strongly recommend that you first complete HackerOne’s free Hacker101 course and review HackerOne’s Hacker Success Guide to ensure you have the best possible experience.
In addition, please familiarize yourself with our VDP policy and pay especially close attention to the Program Rules and Out-of-scope Vulnerabilities sections below so you will understand how to discover and report vulnerabilities in a safe, responsible way that does not adversely impact our systems, services, and applications.
Useful Resources
- OWASP’s Web Security Testing Guide
- PortSwigger’s Web Security Academy
- HackTheBox Academy's Bug Bounty Hunter Job Pathway
- (NOTE: Although Fertitta Entertainment, LLC's VDP is NOT a bug bounty program, this pathway will help you develop a solid foundation to begin participating in our VDP.)
Response Targets
Fertitta Entertainment, LLC strives to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in Business Days |
|---|
| First Response | 3 days |
| Time to Triage | 6 days |
| Time to Resolution | Depends on severity—see Time to Resolution below. |
Time to Resolution
After your report has been validated and triaged, Fertitta Entertainment, LLC will periodically update you on our progress and work to resolve your report within a reasonable time frame that corresponds to the severity of your report:
| Severity | SLA in Business Days |
|---|
| Critical | 12 days |
| High | 30 days |
| Medium | 90 days |
| Low | 180 days |
| None | 360 days |
IMPORTANT: These SLAs only apply to services, websites, and applications that Fertitta Entertainment, LLC directly manages. Although we are happy to receive vulnerability reports for third-party services or dependencies that are hosted on our domains and to forward them to the responsible parties for remediation, we cannot predict if and when these reports will be resolved.
Disclosure Policy
- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne’s disclosure guidelines.
Program Rules
- Participants MUST NOT engage in any enumeration of systems, services, or applications and MUST NOT attempt exploitation of any vulnerability outside the scope of this program (see Scope below).
- Please provide clear, straightforward, and detailed reports with reproducible steps. We encourage you to supply screenshots or screen recordings as needed. Reports that are not sufficiently detailed to reproduce the issue may not be triaged.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
- Social engineering (e.g. phishing, vishing, smishing) is strictly prohibited.
- You are expected to perform your due diligence and to make a good faith effort to avoid privacy violations, data destruction, and any interruption or degradation of our services.
- If an asset permits user registration, only interact with accounts that are owned by you.
- Please also abide by HackerOne's Code Of Conduct.
IMPORTANT: Mind your bandwidth usage!
- We strongly recommend that you use a bandwidth monitoring tool (e.g., NetHogs, Wireshark, vnStat, iftop) and to specify lower threads when using command-line tools such as
gobuster, ffuf, or wfuzz while probing our assets for vulnerabilities.
- DO NOT send more than 100 MB of traffic over a sixty (60) minute period.
- DO NOT send more than 1 GB of traffic over a twenty-four (24) hour period to an in-scope asset.
- If possible, always include a custom HTTP header (
User-Agent: HackerOne VDP [Username]) when enumerating or fuzzing our assets.
- Burp Suite: Use the Add Custom Header Burp extension (available for both Community and Pro editions).
- cURL, ffuf, Gobuster, and wfuzz all allow you to add a custom header using the
-H flag.
Example: curl -H "User-Agent: HackerOne VDP [Username]" https://tilmanfertitta.com
- Nikto allows you to specify a custom header with the
-header flag (don't confuse with the -h flag, which specifies the target URL).
Example: nikto -header "User-Agent: HackerOne VDP [Username]" -h https://tilmanfertitta.com
Out of scope vulnerabilities
NOTE: Please review our Assets section carefully — some assets have additional restrictions or may be partially or entirely out of scope.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability AND (2) security impact of the bug. The following issues are considered out of scope:
- Any activity that could plausibly lead to any denial or disruption of our services, systems, or applications (DoS/DDoS attacks).
- Any activity that sends more than 100 MB of traffic over a sixty (60) minute period or sends more than 1 GB oftraffic over a twenty-four (24) hour period to an in-scope asset.
- Clickjacking on pages with no sensitive actions.
- Cross Site Request Forgery (CSRF on unauthenticated forms or forms with no sensitive actions.
- Man-in-the-middle (MitM)/on-path attacks, as well as attacks that require physical access to a user's device.
- Previously known vulnerable libraries without a working proof of concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or brute-forcing on non-authentication endpoints, as well as any brute-forcing that exceeds the 100MB/hour and 1 GB/day bandwidth restrictions specified above.
- Missing best practices in Content Security Policy.
- Missing
HttpOnly or Secure flags on cookies.
- Missing email best practices (e.g., invalid, incomplete, or missing SPF, DKIM, or DMARC records).
- Vulnerabilities only affecting users of outdated or unpatched browsers less than two stable versions behind the latest released stable version.
- Software version disclosure, banner identification issues, descriptive error messages/headers (e.g., stack traces,application or server errors unless the error(s) indicate an exploitable injection vulnerability).
- Tabnabbing
- Open redirect (unless an additional security impact can be demonstrated).
- Issues that require unlikely user interaction.
Safe Harbor
Activities conducted in strict conformance with this policy will be considered authorized conduct.
Thank you for helping keep Fertitta Entertainment, LLC and our assets, data, personnel, and customers safe!
