Kindred Group
Welcome!
Kindred Group looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Kindred Group will make a best effort to respond to incoming reports within 5 business days, validate the report within 10 business days, and make a bounty determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.
Violation of any of these rules may result in ineligibility for a bounty and/or removal from the program.
Only test against accounts you own or accounts that you have explicit permission from the account holder to test against
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
Notify us immediately if any sensitive information is accessed throughout the course of your testing.
Do not perform any social engineering against users or Kindred Group employees
Do not run automated scans (see below)
Do not test the physical security of Kindred Group offices, employees, equipment, etc.
Do not perform DoS or DDoS attacks
Do not attack our end users, or engage in trade of stolen user credentials
Do not publicly disclose vulnerabilities or otherwise share vulnerabilities with a third party without Kindred Group's express written permission
Current and former employees are not permitted to take part in the bounty program
Please do not run automated scans. They will cause an impact to our systems and services which means long days at the office.
If we determine that you are running automated scans against our infrastructure, we may decide to reward a lower amount than usual. If you continue to run automated scans without our explicit permission, you may be removed from the program.
Let us know as soon as possible upon discovery of a potential security issue and we’ll make every effort to quickly resolve the issue
Follow [HackerOne's disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines)
Submit one bug per report
Please provide detailed steps for reproducing the bug. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Multiple bugs caused by one underlying issue will be rewarded one bounty.
When submitting a report, please consider the attack scenario / exploitability of the bug, as well as its security impact
To help our fraud systems, please create an account using your HackerOne email alias - username@wearehackerone.com.
If your account is disabled or banned, do not contact Kindred Customer Service or create a HackerOne report. You can create a new account using the format username+1@wearehackerone.com.
Only the Assets listed in the structured Scope section below are considered eligible for a bounty. Please carefully review this section before submitting a report.
Please note: Before submitting a bug report, please check the target domain's DNS records to ensure that it is not an alias of an out-of-scope domain.
There are two platforms which our various brands run on. All brands and geographic TLDs that run on the same platform share the same code. In situations where a specific bug affects all brands on the same platform, we will only reward the initial report for that bug, as one fix will solve the bug on all brands running on the same platform.
For reference, these are the brands hosted on each of the platforms:
| Platform 1 | Platform 2 |
|------------|------------|
| Unibet | MariaCasino |
| Storspelare/Storspiller | Kolikkopelit |
| Bingo | iGame |
| VladCazino | CasinoHuone |
| | Otto Kasino |
The following applications/platforms are out of scope and should not be tested.
*.nj.unibet.com/nj.unibet.com
*.pa.unibet.com/pa.unibet.com
*.in.unibet.com/in.unibet.com
*.va.unibet.com/va.unibet.com
*.ia.unibet.com/ia.unibet.com
*.az.unibet.com/az.unibet.com
The following components on our sites are developed by third parties and served through iframes. These components, and anything similar, are out of scope, with the exception of any components specifically listed in our Scope section.
Games (including Casino, Live Casino, etc)
Poker
Bingo
Sports
Clickjacking on pages with no sensitive actions
Unauthenticated/logout/login CSRF
Missing HTTP security headers
Missing best practices in SSL/TLS configuration
Lack of Secure/HTTPOnly flags on non-sensitive Cookies
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Any activity that could lead to the disruption of our service (DoS/DDoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Descriptive error messages (e.g. Stack Traces, application or server errors)
Fingerprinting / banner disclosure on common/public services
Disclosure of known public files or directories (e.g. robots.txt)
Application or web browser 'autocomplete' or 'save password' functionality
Username / email enumeration
Account lockout not enforced
Brute-forcing user credentials
Weak password policies
Host header injection without exploitation
Self-XSS or XSS that only affects out-of-date browsers
Mail configuration issues including SPF, DKIM, and DMARC settings
Vulnerabilities that relays on Flash.
0-day vulnerabilities and security updates will require a 30/60 day cool-down period
Absence of certificate pinning
Any kind of sensitive data stored in app private directory
Any URIs leaked because a malicious app has permission to view opened URIs
Application crashes due to malformed URL schemes
Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
Exposure of non-sensitive data on the device
Lack of binary protection (anti-debugging) controls
Lack of exploit mitigations
Lack of obfuscation
Pasteboard leakage
Sensitive data in URLs/request bodies when protected by TLS
User data stored unencrypted on the device or on external storage
Vulnerabilities in third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
Thank you for helping keep Kindred Group and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.unibet.casino |
| android_application | com.unibet.unibetpro |
| ios_application | 905382680 |
| ios_application | 463335337 |
| ios_application | 669969610 |
| other | Components |
| web_application | *.unibet.com |
| web_application | *.storspiller.com |
| web_application | *.bingo.com |
| web_application | *.mariacasino.com |
| web_application | *.kolikkopelit.com |
| web_application | *.casinohuone.com |
| web_application | *.igame.com |
| web_application | relaxcdn.unibet.com |
| web_application | *.vladcazino.ro |
| web_application | unibet.me |
| web_application | maria.casino |
| web_application | *.ottokasino.com |
| web_application | *.kindredext.net |
| web_application | https://www.32red.com |
| web_application | *.unibet.fr |
| Scope Type | Scope Name |
|---|---|
| web_application | ads*.unibet.com |
| web_application | livechat.unibet.com |
| web_application | kindredgroup.com |
| web_application | kindredaffiliates.com |
| web_application | link.bingo.com |
| web_application | a1s.unibet.com |
| web_application | cdn2.unibet.com |
| web_application | *.nj.unibet.com |
| web_application | *.pa.unibet.com |
| web_application | *.in.unibet.com |
| web_application | *.va.unibet.com |
| web_application | affiliates.unibet.fr |
| web_application | af.unibet.fr |
| web_application | media.unibet.fr |
| web_application | *.custhelp.com |
| web_application | *.ia.unibet.com |
| web_application | *.az.unibet.com |
| web_application | *on.unibet.ca |
This program have been found on Hackerone on 2020-02-12.
FireBounty © 2015-2024
