NBA Public Bug Bounty

• Purpose
• Scope
• Rules of Engagement
• In-Scope Vulnerabilities
• Out of Scope Vulnerabilities
• Make Your Submission Count
• Reward Structure
• Response Targets
• Disclosure Policy
• Compliance
• References

Purpose

The National Basketball Association (NBA) is a global sports and media organization, built around five professional sports leagues: the NBA, WNBA, NBA G League, NBA 2K League and Basketball Africa League. The NBA has a major international presence with games and programming available in 214 countries and territories in 60 languages. At the NBA, we’re passionate about growing and celebrating the game of basketball. The NBA's mission is centered around igniting inspiration and fostering connections among people worldwide through the transformative power of basketball. With the intensity of the game and incredible athleticism of our players, the NBA delivers excitement to hundreds of millions of fans worldwide. In addition to the league's on-court activities, the NBA manages relationships with television and digital media partners, develops marketing partnerships with some of the world's most recognizable companies, oversees the licensing of merchandise, and manages a wide range of global events that attract fans and drive social impact in communities around the world.

This policy defines the requirements for security researchers to conduct vulnerability discovery activities and submit identified findings through HackerOne for a potential bounty reward. You must have a HackerOne account and use the HackerOne platform for all submissions. Participating in the NBA’s bug bounty program is a unique opportunity to earn bounty payouts while helping to enhance the security of our applications. The NBA has been working closely with the security research community for more than six years through responsible disclosure and private bug bounty programs. Thanks to your contributions, the NBA continues to drive innovation through technology, captivate fans around the globe, and safeguard our brand. We greatly value the positive impact of your work to improve the security of the NBA.

Scope

The NBA has a vast infrastructure within the public domain. However, not all digital assets are in-scope for the NBA bug bounty program. Researchers are strictly prohibited from any security testing on applications that are not in-scope. Security testing on out-of-scope assets, vulnerabilities, and/or any actions that are otherwise in violation of the requirements stated are not eligible for bounty reward. All security researchers participating in the program must adhere to the scope requirements. The list of in-scope assets can be found here.

Rules of Engagement

• Be mindful of your testing activities to avoid initiating any actions that could potentially lead to denial of service. Traffic requests must not exceed 3 requests per second, as this will help with the observability and monitoring of external testing. Failure to do so will be considered a denial-of-service (DoS) attack.
• Do not perform attacks that can lead to denial of service (DoS/DDoS).
• Do not perform social engineering, brute-forcing, or password spraying attacks.
• Do not perform testing on out-of-scope assets or vulnerabilities.
• Do not perform aggressive vulnerability scans.
• Do not modify any files or destroy data, including permissions.
• Do not access NBA customer, employee, or confidential information.
• Do not intentionally view or access any data beyond what is needed to prove the vulnerability.
• Do not degrade the NBA user experience. Security testing must not disrupt production or lower environment systems.
• Stop testing and report the finding to the NBA immediately if you obtain unauthorized access to sensitive data, compromised accounts, or discover arbitrary command execution.

In-Scope Vulnerabilities

The NBA has adopted the OWASP Top 10 framework to ensure our web applications are security-hardened against top relevant risks and vulnerabilities. Our analysis will consider the information security triad: confidentiality, integrity, and availability with the lens of business risk and sensitive data exposure to determine a finding’s severity. The list below outlines vulnerability types that are in scope for bounty payout.

• Broken Access Control
• Remote Code Execution (RCE)
• Injection
• Insecure Design
• Security Misconfiguration
• Account Takeover (ATO)
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS)
• Cryptographic Failures

Out of Scope Vulnerabilities

The following vulnerability types are out of scope and not accepted by the NBA. Note: Zero-day vulnerabilities may be reported 30 days after initial publication.

• Denial of Service (DoS) or Distributed Denial of Service (DDoS)
• Cache Poisoning
• HTTP Request Smuggling
• Client-Side Desync
• Edge Side Includes (ESI) Injection
• Server Information & Status Pages
• SSL/TLS Best Practices
• Reports from automated tools or scans
• Social Engineering
• Vulnerabilities on out-of-scope assets
• Verbose error messages without proof of exploitability
• Issues without a clearly defined security impact
• Self-exploitation
• Brute Forcing
• Password Spraying
• Banner Grabbing
• Absence of SPF/DMARC records
• NBA ID fan account credentials

Make Your Submission Count

• Acceptance or rejection of all vulnerability report submissions is subject to the NBA’s sole discretion.
• Detailed reports must be provided. Reports without a working proof of concept and steps to reproduce the finding will have the disposition status changed to "Needs more information."
• Proof of concepts are required to obtain the full bounty payment. If a proof of concept cannot be provided, justification by the researcher must be included.
• When duplicates occur, only the first received report will be awarded provided it can be fully reproduced in a form acceptable to the NBA.
• Exposed or compromised credentials will be evaluated on a case-by-case basis and paid out according to risk and impact to the NBA.
• Vulnerabilities will be consolidated into a single report and bounty payout if internal review determines that separate fixes are not warranted. This includes multiple reports submitted by a researcher for the same vulnerability found on various endpoints of the same host application or its components impacting multiple hosts.

Reward Structure

The NBA has aligned with CVSS v3.1 and places significant emphasis on the risk and impact resulting from a vulnerability for the reward conclusion. Bounty payments and severity classification are determined at the sole discretion of the NBA program administrator. All testing performed must comply with this program’s policy, rules of engagement, and scope for a report to be eligible for bounty reward. The vulnerability severity classification will generally be categorized according to the following criteria:

Medium Severity Vulnerability

Medium severity vulnerabilities pose a moderate risk to the NBA. Vulnerability examples include exposure of API tokens, reflected or DOM cross-site scripting with access to cookies, takeover on an unused subdomain, or read access to sensitive data or fields.

High Severity Vulnerability

High severity vulnerabilities are where exposure to the NBA starts to elevate. For example, read privileges to databases with sensitive PII, ability to scan internal network resources, domain takeover on an active web application, or improper access control.

Critical Severity Vulnerability

Critical severity vulnerabilities warrant immediate attention, and the proof of concept needs to demonstrate the exploitability and risk to the NBA. Examples include arbitrary command execution on a remote device, bulk sensitive data loss, or write access with full permissions to a database containing sensitive PII.

Response Targets

The NBA will use reasonable efforts to meet the following response targets for researchers participating in the program.

Disclosure Policy

This program does not allow any disclosure without the NBA’s prior written approval in each instance and all researchers participating in the NBA public bug bounty program must adhere to this disclosure policy. Approval may be granted or withheld at the NBA’s sole discretion. Additionally, the NBA may require redactions to any authorized disclosure. Researchers must not discuss or release to the public any information about vulnerabilities (even if resolved) found in connection with this program, except and to the extent expressly permitted by the NBA. Approvals must be obtained from the NBA program administrator and requested within the HackerOne report submitted prior to any public disclosure.

The NBA strictly prohibits public disclosure and/or storage of data discovered during any testing activities. All data must be secured at-rest, in-transit, and in-storage to assure the confidentiality of sensitive or other protected information. All data collected, downloaded, cached or otherwise stored by researchers during testing activities, including any data entered or stored in third-party applications or services, must be promptly and securely deleted after submission of the report.

Compliance

Adherence to the NBA bug bounty program policy is required. Lack of compliance by security researchers is subject to the processes defined within the HackerOne Code of Conduct.

References