Please limit the amount of requests to max 50/second
Do not use Scanners such as Nessus, acunetix,etc, we already scan our assets with these tools and you won't be rewarded if you report vulnerabilities found by scanners
All our LOGIN services are out of scope for the moment. Please review our Policy page.
Any bruteforce attempt on our login services will be considered misbehavior and you will be banned from the program. We won't reward any credentials identified using bruteforce attacks.
S3 bucket takeovers are temporarily out-of-scope.
#Other type of subdomain takeovers will be rewarded with 500$ unless additional impact will be demonstrated.
#Employee Credentials leaked(working credentials) will be rewarded with 250$ unless additional impact will be demonstrated.
IDOR/BAC vulnerabilities on SOCIAL Functionality is out of scope
Superbet will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response | 1 days |
| Time to Triage | 2 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
- Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
#Test Plan
For our main application superbet.ro/magicjackpot.ro You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.
● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.
Disclosure Policy
- Follow HackerOne's disclosure guidelines.
- Do not disclose information about any found vulnerabilities without express consent from Superbet.
- Disclosure requests must be made through the HackerOne platform - see instructions here. We will make the final decision on a per report basis.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS)
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Username / email enumeration
- Descriptive error messages (e.g. stack traces, application or server errors).
- CORS issues without a working PoC
- Login page or one of our websites over HTTP
- Self XSS
- As a rule of thumb, we don't reward vulnerabilities found in 3rd parties. We have a lot of those, many of which have their own bug bounty programs and the vulnerabilities affect many companies that integrate or use their stuff. This is why you should try to reach out to the company who originated the code and have these kind of issues fixed upstream. We may try to reach the upstream provider ourselves to ensure that we're not keeping vulnerable code and, should we do so, you can be assured that you will be credited for the find
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
You can contact us anytime for questions or support: [email protected]
Thank you for helping keep Superbet and our users safe!
