avatar
Bug bounty
Public

ATG Public Bug Bounty Program

ATG is the gaming company that knows horse racing. The company was founded in 1974 with the mission to safeguard the long-term development of trotting and thoroughbred racing by offering responsible gambling. ATG has provided quality excitement and entertainment to the Swedish people since the first bet was placed. The company intends to continue doing so. Our vision is to deliver the world’s best gaming experiences. Our offering is: exciting gaming experiences in a fair and convenient manner.

Reward

Bounty
Hall of fame
€0
Low
€100
Medium
€500
High
€1,500
Critical
€4,000

Program

Avg reward
-
Max reward
-
Scopes
7

Supported languages
English

Hacktivity

Reports
182
1st response
< 1 day
Reports last 24h
-
Reports last week
2
Reports this month
11

*** Rate limiting ***

Remember to rate limit your test tools to max 5 requests per second.

Change log

2023-01-30

  • Added wildcard scope *.atg.se with a few out of scope assets. -woohooo :-)
  • Increased medium, high and critical rewards $$$.

2022-10-17

  • Added reward grid +++ for 3 scopes with increased rewards.

2022-09-15

  • Added reward for reports with CVSS Low to the scope and increased maximum reward.
  • Added ATG Live for Android and Apple TV to the scope.

About

ATG (AB Trav och Galopp) is the gaming company that knows horse racing. The company was founded in 1974 with the mission to safeguard the long-term development of trotting and thoroughbred racing by offering responsible gambling. ATG has provided quality excitement and entertainment to the Swedish people since the first bet was placed. The company intends to continue doing so. Our vision is to deliver the world’s best gaming experiences. Our offering is: exciting gaming experiences in a fair, convenient and secure manner.

We are committed to work with security experts, such as yourself from all over the world to stay up to date and safeguard our customers, partners and employees. If you discovery a vulnerability that we should know about, do not hesitate and let us know.

We share your passion for security and appreciate your work!

Our rules

  • We will respond as quickly as possible and keep you updated throughout the process
  • We will not take legal actions against you if you follow the rules and scopes
  • We will be fair and evaluate submissions according to realistic scenarios
  • We reserve the right to cancel this Bug Bounty Program or change its scope at any time
  • The decision to pay a reward is at our discretion

Your rules

We appreciate your work, knowledge and passion for security. We are happy to work with everyone who submits valid reports to help improve our security. With that said, only those that meet the following eligibility requirements may receive monetary reward.

  • Rate limiting of automatic testing tools to a maximum of 5 requests per second
  • Disclosure of the vulnerability report is made exclusively through YWH
  • The report shall include a clear description including the steps to reproduce the vulnerability together with necessary attachments such as screenshots, proof of concept code or similar
  • You need to be the first person to report an unknown issue
  • You need to report any vulnerability found not later than 24 hours after discovery
  • You are not allowed to perform any type of Denial of Service attack or tests that could cause degradation or interruption of our service
  • You are not allowed to leak, manipulate or destroy any user data
  • You are not allowed to publicly disclose a bug before it has been fixed
  • You are not allowed to attempt non-technical attacks such as social engineering, phishing, etc
  • You are only allowed to test against accounts you own yourself
  • You must not be a former or current ATG employee/contractor

Sometimes our teams are already aware and working on a vulnerability before you reported it. In that case we will recognize your work and thank you but the report will not be eligible for a reward.

Note that disclosing details, conversations or other information that have negative impact on the program or ATG brand will result in immediate disqualification from the program.

Scope

Only defined scopes are eligible for rewards. However.. Serious vulnerabilities reported on out of scope assets is currently not eligible for monetary rewards but we will try to set you up with some "cool merch" as thank you if your report result in changes on our side and evaluate to adjust our scope for the future.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
€100€500€1,500€4,000
Low
€100€300€1,000€3,000

Scopes

ScopeTypeAsset value
*.atg.se other
Low
Low
€100
Medium
€300
High
€1,000
Critical
€3,000
www.atg.se web-application
Critical
Low
€100
Medium
€500
High
€1,500
Critical
€4,000
api.atg.se api
Critical
Low
€100
Medium
€500
High
€1,500
Critical
€4,000
iam.atg.se web-application
Critical
Low
€100
Medium
€500
High
€1,500
Critical
€4,000
https://apps.apple.com/se/app/atg/id1434660322 mobile-application-ios
Low
Low
€100
Medium
€300
High
€1,000
Critical
€3,000
https://apps.apple.com/se/app/atg-live/id1608156355 other
Low
Low
€100
Medium
€300
High
€1,000
Critical
€3,000
https://play.google.com/store/apps/details?id=se.atg.live&hl=en&gl=SE mobile-application-android
Low
Low
€100
Medium
€300
High
€1,000
Critical
€3,000

Out of scopes

  • fraga.atg.se (external supplier)
  • hittabutik.atg.se (external supplier)
  • kundo.atg.se (external supplier)
  • shop.atg.se (external supplier)
  • r124.news.atg.se (external supplier)
  • r123.news.atg.se (external supplier)
  • r122.news.atg.se (external supplier)
  • r121.news.atg.se (external supplier)

Vulnerability types

Qualifying vulnerabilities

  • Authentication Bypass
  • Code injections (JS, SQL, etc...)
  • Cross-Site Requests Forgery (CSRF) on critical actions
  • Cross-Site Scripting (XSS)
  • Horizontal and vertical privilege escalation
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Open Redirect
  • Remote code execution (RCE)
  • Reproducible game manipulation and/or cheating

Non-qualifying vulnerabilities

  • "Self" XSS
  • Rate Limiting
  • Text/HTML Injection
  • Social engineering
  • Homograph Attack
  • Missing cookie flags
  • Information disclosure
  • CSRF on non critical actions
  • SSL/TLS best practices
  • Mixed content warnings
  • Denial of Service attacks
  • Missing security headers
  • Clickjacking/UI redressing
  • Software version disclosure
  • Stack traces or path disclosure
  • Missing autocomplete attributes
  • Physical or social engineering attempts
  • Recently disclosed 0-day vulnerabilities
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Our policies on presence/absence of SPF/DMARC records
  • Any hypothetical flaw or best practices without exploitable POC
  • Issues that require physical access to a victim’s computer/device
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Extension manipulation without any evidence of vulnerability (Attachments)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
  • Any issues regarding single session features/management
  • RTLO and related issues
  • All vulnerabilities not listed in Qualifying vulnerabilities

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.