Sky DACH Vulnerability Disclosure Program

With 24 million customers across six countries, Sky is Europe's leading media and entertainment company and is proud to be part of the Comcast group. Our 32,000 employees help connect our customers to the very best entertainment, sports, news, arts and to our own local, original content.

No technology is perfect and Sky believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web applications. Good luck, and happy hunting!

Ratings/Rewards

For the initial prioritization/rating of findings, this engagement will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Structure

P1: $500 – $1000

In Scope

• All internet facing Sky DACH assets (GraphQL, Website Testing)
• All internet facing Sky UK/ROI assets (GraphQL, Website Testing)
• All internet facing Sky Italy assets (GraphQL, Website Testing)

Testing is only authorised on the targets listed as in scope. Any domain/property of Sky Group not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Sky Group, you can report it to this engagement. However, be aware that it is ineligible for rewards or points-based compensation.

Out of Scope

OOS Sky Subsidiaries

• NBCUniversal (Please report all NBCU findings directly to [email protected])
• Comcast
• Sky Italy (Please report all Sky Italy findings directly to the Sky Italy VDP programme)
• Sky UK/ROI (Please report all Sky UK/ROI findings directly to the Sky UK/ROI VDP programme)

OOS Subscriber IP Ranges/Hostnames

The following IPs belong to our subscribers and are managed on their end. These are explicitly set as OOS and not to be tested, even if the hostnames resolve to .sky.

Everything (including any IP) that resolves to the hostname skybroadband.com is out of scope as these are customer hosted sites we do not own.

• *skybroadband.com
• *skybet.com
• *skynewsarabia.com
• *skynews.com.au

Vulnerabilities in the following IP addresses are also out of scope (see attached: Sky Excluded IPs.xlsx)

OOS Submission Types

• 3rd party endpoints
• 3rd party Sky Brand licensing
• Marketing/Analytics endpoints
• Server security misconfigurations with no impact (ex. Exposed instances with no sensitive data present)
• Email spoofing issues (e.g., SPF, DKIM, DMARC)
• Automated scan reports or search engine results (ie, Shodan) without valid proof of concept
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Open redirect - unless an additional security impact can be demonstrated
• Self-Client-side injection (XSS, Angular, Vue, HTML...) and any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus significantly reducing the attack surface and associated risk
• CORS without exploitation
• XSS due to Swagger-UI (will be accepted but not eligible for bounty, considered as P5 Informational)
• Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset
• Exposure of API keys with no security impact, or where the only impact is exhausting of API quotas
• Vulnerabilities only affect users of outdated or unpatched browsers
• Descriptive error messages (e.g., Stack Traces, application, or server errors) without proof of vulnerability or risk
• Submissions for 3rd party code where Sky Group is not responsible for the code
• SSL/TLS protocol scan reports reporting purported vulnerable protocol versions or handshakes
• Missing best practices in Content Security Policy, HttpOnly or Secure flags on cookies

OOS Activity Types

• Load Testing (DoS, DDoS, wireless jamming, etc.)
• Clickjacking on pages with no sensitive actions
• Banner Grabbing, Scanner Outputs, Password Complexity, User Enumeration, Software version disclosure, Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Tabnabbing
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Account lockout, login, or forgot password page brute force
• Rate limiting issues on non-authentication endpoints/Anti-Automation
• Attacks requiring MITM or physical access to a user's device
• Publicly accessible login panels unless proven security Impact
• Any activity that could disrupt our service (DoS), including but not limited to inundating support services with invalid requests
• The customer leaked credentials found in Darkweb or any OSINT tools
• Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
• Protocol-specific flaws and open ports or services without an accompanying proof-of-concept demonstrating a vulnerability
• Theoretical security issues without any POC

Hardware Out Of Scope

• Physical tampering of the device (I/O devices such as USB, SIM, and SD card slots are in scope)
• Submissions that require an attacker to physically open the case, including removing screws or breaking plastic casing (open chassis) to gain access to the internal hardware of a device
• Vulnerabilities in pre-release product versions (e.g., Beta, Release candidate)
• Vulnerabilities in product versions are no longer under active support
• Vulnerabilities are already known to Sky Group. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be eligible for a bounty award
• Submissions that utilise third-party websites or tools for cracking or validating secrets, passwords, keys or tokens

Eligibility

You are ineligible to participate if you are or have been:

• A current employee of Sky Group or its affiliates or subsidiaries or an employee who has left Sky Group or its affiliates or subsidiaries within the past 12 months

Access/Traffic Identification

IP Address

Please provide your IP address in the report while submitting the P1/P2 finding.

Custom User-Agent Header

Please add the following header to your HTTP traffic to prevent interruptions and verify non-malicious behaviour:

X-Bug-Bounty:<bugcrowdusername>

N-day/Third Party 0-day Policy

• When N-Day bugs are released to the public, we will consider them as in scope after 30 days have gone by
• E.g: N-day released on 01/01/2024, we would consider it in-scope on 01/31/2024

Stolen/Breached Credentials

If you happen to identify vulnerabilities involving data that has been exposed or leaked such as dark web forums or leaked credential sites, you can report it to this engagement. However, be aware that it is only eligible for points-based compensation. This policy helps maintain the highest standard of operational confidentiality, integrity, and compliance.

Credentials

To gain access to the application, please sign up for an account using your @bugcrowdninja.com email address.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire through the Bugcrowd Support Portal before going any further.