Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder

Bounty Program

To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Scope Exclusions (are not eligible for a reward)

• DNS related or HTTP(S) Header related reports

• Reports relating to self-DoS issues (as in, only the person doing the action is denied service)

• Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)

• Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain

• Server/Software version disclosure

• login csrf / logout csrf

• Email spoofing (Dmarc/SPF/DKIM)

• Reflected file download

• Clickjacking on emtpy or stage sites (read: must have high real world impact)

• Flaws affecting out-of-date browsers and plugins

• Publicly accessible login panels or html, js,..

• CSP Policy Weaknesses

• TabNabbing Rel=“noopener”

• HTTP Public Key Pinning

• We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)

• Vulnerabilities in 3rd party libraries without working exploit against our apps/servers

• Recently disclosed 0-day vulnerabilities

• Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains

• Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports

• Bugs already known to us, or already reported by someone else (reward goes to first reporter)

• Issues that aren't reproducible

• Issues that we can't reasonably be expected to do anything about

Requirements

• If you report on a network attack please provide a CURL command line (if possible)

• Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect

• If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser

• Please allow 3 business days for us to respond before sending another question on it

• Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service

• Spamming

• Social engineering (including phishing) of Unikrn staff or contractors

• Any physical attempts against Unikrn property or data centers

• Probing well known third party components (like Olark) on our assets

If you are looking to report a non-security-related bug, please make use of this link https://unikrn.com/contact or send an email to support@unikrn.com instead - GPG https://unikrn.com/unikrn.asc

Thank you for helping keep Unikrn and our users safe!