Penn Entertainment Vulnerability Disclosure Program

Introduction

Penn Entertainment is committed to partnering with the security community to identify and address vulnerabilities, ensuring the safety of our businesses and customers. Through collaboration and proactive security measures, we aim to uphold trust, protect our assets, and maintain a secure environment for all.

Our Commitment to Security

At Penn Entertainment, we are dedicated to maintaining the highest standards of security across all our digital assets. Our information security team works tirelessly to protect our systems, services, and the confidentiality of our customers' information. We recognize the invaluable role that security researchers play in helping us identify and address potential vulnerabilities. We welcome the opportunity to collaborate with the research community to enhance our security posture.

About the Program

Our Vulnerability Disclosure Program (VDP) invites security researchers to responsibly discover and report vulnerabilities that could compromise the integrity, availability, or confidentiality of Penn Entertainment's products, services, or information technology infrastructure. We encourage you to report any findings in accordance with the guidelines outlined below.

Scope of the Program

In-Scope Assets

All public-facing assets owned, operated, or controlled by Penn Entertainment are within the scope of this program. This includes, but is not limited to:

• Websites
• Web Applications and APIs
• Mobile Applications
• Online Gaming Platforms

Qualifying Vulnerabilities

We are interested in receiving reports on vulnerabilities that have a significant security impact, such as:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection
• Authentication and Authorization Flaws
• Remote Code Execution
• Privilege Escalation
• Insecure Direct Object References
• Sensitive Data Exposure
• Server-Side Request Forgery (SSRF)
• Security Misconfigurations

Out-of-Scope Assets and Vulnerabilities

The following are generally outside the scope of our program:

Out-of-Scope Assets

Internal systems, third-party services, or assets not owned by Penn Entertainment.

Non-Qualifying Vulnerabilities

• Reports without a working proof-of-concept or clear reproducible steps
• Findings from automated scans without manual verification
• Clickjacking on pages with no sensitive actions
• Missing security headers that do not lead to direct exploitation
• Denial of Service attacks
• Social engineering or phishing attacks
• Physical security issues

Responsible Disclosure Policy

We ask that researchers:

• Act in Good Faith: Conduct research in a manner that avoids privacy violations and service disruptions.
• Allow Time for Remediation: Give us a reasonable period to address the vulnerability before making any public disclosures.
• Avoid Data Access: Do not access or modify data beyond what is necessary to demonstrate the vulnerability.
• Maintain Confidentiality: Do not disclose vulnerability details to third parties without our express written consent.

Legal Safe Harbor

Activities conducted in accordance with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party, we will make it known that your actions were conducted in compliance with this policy.

Our Commitment to You

• Prompt Acknowledgment: We will acknowledge receipt of your report within 5 business days.
• Transparency: We will keep you informed of the progress towards resolving the issue.
• Confidentiality: We will not share your personal information without your permission.