NBA Vulnerability Disclosure Program

---

 

Table of Contents

• Program Governance
• Program Scope
• In-Scope Vulnerabilities
• Out of Scope Vulnerabilities
• Rules of Engagement
• Response Targets
• Disclosure Policy

 

Program Governance

The NBA is more than just a basketball company. We are a global brand operating in the sports, media, entertainment, and commerce sectors. Fueled by technology & innovation, we have created a fan-first international direct-to-consumer business, producing some of the most compelling live entertainment experiences, gaining interest from fans globally, and driving social impact/justice change in communities where we live, work, and play.

The NBA prioritizes the security of our organization and fans, and we want to recognize researchers for their efforts in helping to reduce cyber risk. Participating in the NBA’s vulnerability disclosure program is a unique opportunity to showcase your skills and earn reputation points while helping assure the security of our applications. By identifying and reporting vulnerability findings, you’ll not only contribute to the protection of our users and data, but also have the chance to gain recognition in the security community. We greatly value the positive impact of your work and thank you in advance for your contributions. Happy hacking!

  VDP Scope

The NBA has a vast infrastructure within the public domain. However, not all digital assets are owned and managed by the NBA, making it necessary to adhere to the list of in-scope assets. Please limit testing to the applications listed within the Assets section marked as in-scope. Performing security testing on applications that are not in-scope is strictly prohibited.

  In-Scope Vulnerabilities

The NBA has adopted the OWASP Top 10 to ensure our web applications are security-hardened to top relevant risks and vulnerabilities. Our analysis will consider cyber risk triad: Confidentiality, Integrity, & Availability with the lens of business exposure and sensitive data exposed to determine a finding’s severity. The list below illustrates vulnerability types of most interest to the NBA.

• Broken Access Control
• Cryptographic Failures
• Remote Code Execution (RCE)
• Cross-Site Scripting (XSS)
• Injection
• Insecure Design
• Security Misconfiguration
• Account Takeover (ATO)
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery (SSRF)

  Out of Scope Vulnerabilities

The following vulnerability types are out of scope and thus not accepted.

• Denial of Service (DoS) or Distributed Denial of Service (DDoS)
• Cache Poisoning
• HTTP Request Smuggling
• Server Information & Status Pages
• SSL/TLS Best Practices
• Reports from automated tools or scans
• Social Engineering
• Vulnerabilities on out-of-scope assets
• Verbose error messages without proof of exploitability
• Issues without clearly defined security impact
• Self-exploitation
• Brute forcing
• Banner Grabbing
• Absence of SPF/DMARC records
• NBA ID fan account credentials

  Rules of Engagement

• Do not perform attacks that can lead to denial of service (DoS/DDoS)
• Do not perform social engineering or brute-forcing attacks
• Do not perform testing on out-of-scope assets
• Do not perform aggressive vulnerability scans
• Do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability

  Response Targets

The NBA will make a best effort to meet the following response targets for hackers participating in our program. We will try to keep you informed about our progress throughout the process.

  Disclosure Policy

Please do not discuss the vulnerabilities (even if resolved) outside of the program without express consent from the NBA. The NBA strictly prohibits public storage of data discovered during security testing; all data must be secured at-rest and in-transit to assure the confidentiality of sensitive information. All researchers participating in the NBA Public Vulnerability Disclosure Program must adhere to the Disclosure Guidelines defined by HackerOne (https://www.hackerone.com/disclosure-guidelines).