Fanduel invites you to test and help secure our primary publicly facing assets - focusing on our web, mobile, and api applications. We appreciate your efforts and hard work in making the internet (and Fanduel) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We offer financial rewards of up to US$2000 for newly discovered, validated and reproducible vulnerabilities found in line with this bounty brief. Please see the below for minimum rewards, by severity:
Last updated 31 July 2018 17:54:26 UTC
Technical severity | Reward range
p1 Critical | $2,000 - $2,000
p2 Severe | $750 - $750
p3 Moderate | $300 - $300
p4 Low | $100 - $100
P5 submissions do not receive any rewards for this program.
Target name | Type
*.fanduel.com | Website
FanDuel iOS App | Other
FanDuel Android App | Other
*.fdbox.net | Website
<https://fanduel.design> | Website
Target name | Type
<https://www.sportsbook.fanduel.com/> | Website
<https://myaccount.fanduel.com> | Website
<https://myaccountmobile.fanduel.com> | Website
<https://newsroom.fanduel.com> | Other
partners.fanduel.com | Website
Any domain/property of Fanduel not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
If you wish to test transactions you will need to add funds, via the Add Funds function. The minimum deposit is US$10. After testing, you may request a refund of your deposit by completing this form http://goo.gl/forms/kIyb9WeRI1
Please note, adding funds is currently restricted to US and Canada residents only. In addition, residents of the following US States are not permitted to add funds:
These issues are of particular interest and will be considered for top rewards:
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.