Rate limiting

Remember to rate limit your test tools to max 10 requests per second.

Change log

2024-05-17

• Our social betting platform Tillsammans has moved from our *.atg.se-wildcard scope to the www.atg.se/tillsammans scope with increased rewards.
  -This might be of interest since the tech stack has changed and is uncharted bug territory.

2023-01-30

• Added wildcard scope .atg.se with a few out of scope assets. -woohooo :-)*
• Increased medium, high and critical rewards $$$.

2022-10-17

• Added reward grid +++ for 3 scopes with increased rewards.

2022-09-15

• Added reward for reports with CVSS Low to the scope and increased maximum reward.
• Added ATG Live for Android and Apple TV to the scope.

About

ATG (AB Trav och Galopp) is the gaming company that knows horse racing. The company was founded in 1974 with the mission to safeguard the long-term development of trotting and thoroughbred racing by offering responsible gambling. ATG has provided quality excitement and entertainment to the Swedish people since the first bet was placed. The company intends to continue doing so. Our vision is to deliver the world’s best gaming experiences. Our offering is: exciting gaming experiences in a fair, convenient and secure manner.

We are committed to work with security experts, such as yourself from all over the world to stay up to date and safeguard our customers, partners and employees. If you discovery a vulnerability that we should know about, do not hesitate and let us know.

We share your passion for security and appreciate your work!

Our rules

• We will respond as quickly as possible and keep you updated throughout the process
• We will not take legal actions against you if you follow the rules and scopes
• We will be fair and evaluate submissions according to realistic scenarios
• We reserve the right to cancel this Bug Bounty Program or change its scope at any time
• The decision to pay a reward is at our discretion

Your rules

We appreciate your work, knowledge and passion for security. We are happy to work with everyone who submits valid reports to help improve our security. With that said, only those that meet the following eligibility requirements may receive monetary reward.

• Rate limiting of automatic testing tools to a maximum of 5 requests per second
• Disclosure of the vulnerability report is made exclusively through YWH
• The report shall include a clear description including the steps to reproduce the vulnerability together with necessary attachments such as screenshots, proof of concept code or similar
• You need to be the first person to report an unknown issue
• You need to report any vulnerability found not later than 24 hours after discovery
• You are not allowed to perform any type of Denial of Service attack or tests that could cause degradation or interruption of our service
• You are not allowed to leak, manipulate or destroy any user data
• You are not allowed to publicly disclose a bug before it has been fixed
• You are not allowed to attempt non-technical attacks such as social engineering, phishing, etc
• You are only allowed to test against accounts you own yourself
• You must not be a former or current ATG employee/contractor

Sometimes our teams are already aware and working on a vulnerability before you reported it. In that case we will recognize your work and thank you but the report will not be eligible for a reward.

Note that disclosing details, conversations or other information that have negative impact on the program or ATG brand will result in immediate disqualification from the program.

Scope

Only defined scopes are eligible for rewards. However.. Serious vulnerabilities reported on out of scope assets is currently not eligible for monetary rewards but we will try to set you up with some "cool merch" as thank you if your report result in changes on our side and evaluate to adjust our scope for the future.