FDJ United (Online Betting and Gaming) - Bug Bounty program

FDJ United (Online Betting and Gaming)

At FDJ United (Online Betting and Gaming), we are dedicated to working with the security community to identify and resolve vulnerabilities that protect our business and customers.

Scopes description

FDJ United (Online Betting and Gaming) operates multiple different brands where most of them are hosted on the same platform. There could be minor differences between the different domains. But in general if a vulnerability exists on one site it will most likely exist on all other sites as well.

Main scope

Most of the sites & apps within our scope will fall into this category. Where the sites and jurisdictions could differ from each other is what type of entertainment that is being offered and local verification or authentication schemes. For example BankID in Sweden.

All of our sites that are within the main scope are supported by a payment subdomain that you will be able to find on payment.brand.tld. These domains are also in scope for the bug bounty program.

Secondary scope

We have one site that are operating on a completely different platform and are only using the same infrastructure as the above mentioned sites. So it has its own backend and frontend. That site is https://www.unibet.fr.

Program Rules

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Only test against accounts that you own or have explicit permission from the account holder to test.
• Make every effort to avoid privacy violations, data destruction, and service interruptions or degradation.
• Notify us immediately if any sensitive information is accessed throughout the course of your testing.
• Do not perform any social engineering against users or FDJ United (Online Betting and Gaming) employees.
• Do not use automated scanners or tools that generate large amount of network traffic.
• Do not test the physical security of FDJ United (Online Betting and Gaming) offices, employees, equipment, etc.
• Do not perform Denial of service (DoS) or DDoS attacks on FDJ United (Online Betting and Gaming) applications, servers, networks or infrastructure.
• Do not attack our end users, or engage in trade of stolen user credentials
• Do not publicly disclose vulnerabilities or otherwise share vulnerabilities with a third party without FDJ United (Online Betting and Gaming)'s express written permission
• Current and former employees, contractors, third-party vendors, or immediate family members of employees are not permitted to take part in the bounty program.
• Make sure to apply hunting requirements policy

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

• Exposed credentials in/from an out-of-scope asset/source
• Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources (e.g. …)
• Exposed credentials that are not applicable on the program’s scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
• Exposed PII on an out-of-scope asset

To summarize, you may refer to this table :

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of FDJ United (Online Betting and Gaming), however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• The report must contain the following elements:
• Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and FDJ United (Online Betting and Gaming), and remediation advice on fixing the vulnerability
• Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
• Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• You must not break any of the testing policy rules listed above

Reward amounts are based on:

• Reward grid of the report's scope:
  Our rewards are based on the impact and severity of a vulnerability. The amounts listed represent the standard maximum possible for each severity level. Please note that these are general guidelines, and final reward decisions are at the discretion of FDJ United (Online Betting and Gaming). Rewards may be lower than the maximum if the impact or severity of a vulnerability is assessed to be less significant.

• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis:
  For instance, achieving Remote Code Execution (RCE) on a third-party component with no access to FDJ United (Online Betting and Gaming)'s infrastructure may not be considered critical.

Example of vulnerabilities and severities

Critical

• Remote Code Execution
• SQL Injection
• Gaining access to our PCI environment
• Account takeover without user-interaction
• Arbitrary access to any user's account data, such as:
• Credit card or bank account details
• Sensitive personally identifiable information (PII)

  High

• Stored XSS
• Blind XSS
• Subdomain takeover on main brand sites
• Account takeover requiring user-interaction
• Access to a single user's account data without that user's interaction, such as:
• Credit card or bank account details
• Sensitive personally identifiable information (PII)

  Medium

• Reflected XSS
• CSRF on sensitive actions and functions (unless it can be escalated to an account takeover)

  Low

• Open/Unvalidated Redirects
• CSRF on insensitive/low-impact actions (i.e. opting-in to tournaments)
• Captcha bypass
• Information disclosure through server-status or configuration pages
• Subdomain takeover on non main brand sites