Fanduel invites you to test and help secure our primary publicly facing assets - focusing on our web, mobile, and api applications. We appreciate your efforts and hard work in making the internet (and Fanduel) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Guidelines

We offer financial rewards of up to US$2000 for newly discovered, validated and reproducible vulnerabilities found in line with this bounty brief. Please see the below for minimum rewards, by severity:

Reward Range

Last updated 31 July 2018 17:54:26 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,000 - $2,000
p2 Severe | $750 - $750
p3 Moderate | $300 - $300
p4 Low | $100 - $100

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
*.fanduel.com | Website
FanDuel iOS App | Other
FanDuel Android App | Other
*.fdbox.net | Website
<https://fanduel.design> | Website

Out of scope

Target name | Type
---|---
<https://www.sportsbook.fanduel.com/> | Website
<https://myaccount.fanduel.com> | Website
<https://myaccountmobile.fanduel.com> | Website
<https://newsroom.fanduel.com> | Other
partners.fanduel.com | Website

Any domain/property of Fanduel not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

User registration

• Researchers are encouraged to sign up for a free account at www.fanduel.com. When registering, please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here
• Additional credentials will not be issued for admin.fanduel.com or api.fanduel.com access.

Mobile applications can be downloaded at:

• https://itunes.apple.com/us/app/fanduel-one-day-fantasy-sports/id599664106?mt=8
• https://play.google.com/store/apps/details?id=com.fanduel.android.live&hl=en_GB

Transaction Testing

If you wish to test transactions you will need to add funds, via the Add Funds function. The minimum deposit is US$10. After testing, you may request a refund of your deposit by completing this form http://goo.gl/forms/kIyb9WeRI1

Please note, adding funds is currently restricted to US and Canada residents only. In addition, residents of the following US States are not permitted to add funds:

• Alabama
• Arizona
• Delaware
• Hawaii
• Idaho
• Iowa
• Louisiana
• Montana
• Nevada
• Texas
• Washington

Focus Areas:

These issues are of particular interest and will be considered for top rewards:

• Remote Code Execution
• Significant Authentication Bypass
• Cross Site Request Forgery on Critical Actions
• Cross Site Scripting (excluding self-XSS)
• Exfiltration of Sensitive Data or PII

Out of Scope:

• No findings relating to a lack of rate limiting (login, email triggering, or otherwise) will be accepted for this program

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.