Responsible Disclosure

July 15, 2019

by catalin

FootballCoin

About

FootballCoin gives you the chance to showcase your managerial abilities by allowing you to create your perfect football team. When entering the game you will be able to register for contests, create the team’s roster, and win prizes based on your football knowledge.

Because the platform works with some sensitive information about our users, including their XFC coins and collectible player cards, we appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats.

We encourage security researchers to identify and submit vulnerability reports regarding anything accepted by FootballCoin’s scope, including but not limited to the website, application, and services.

Program Scope / Targets of interest

In scope targets

  • www.footballcoin.io
  • game.footballcoin.io
  • XFC blockchain components (e.g. blockchain, node, wallet)

Out of scope targets

All resources that are not defined in the scope.

Out of scope vulnerabilities

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs, application or server errors)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Assets that do not belong to FootballCoin
  • Phishing (E.g. HTTP Basic Authentication Phishing), Spam or Social Engineering
  • CORS vulnerabilities without Proof of Concept
  • Lack of Rate Limits

Actions & tests to avoid

  • Testing accounts other than those you that you own
  • Usage of automatic testing tools such as vulnerability scanners, brute force etc
  • Causing, or attempting to cause, a Denial of Service (DoS) condition
  • Data destruction
  • Automated vulnerability scans are strictly prohibited
  • In any way, do not attack our end users, or engage in the trade of stolen user credentials
  • No phishing
  • Do not use blackmail techniques in order to ask for financial gains

How to report security vulnerabilities?

We are using the OWASP risk assessment methodology to determine the bug’s level of threat to the website information and/or XFC network. You can send us a message with your finding at security@footballcoin.io, considering the following steps to be expected by the engagement:

  1. Send us a brief description of the vulnerability that should contain at least the following:
    1. Title of the vulnerability
    2. The affected page / url / ip / service
    3. Steps to reproduce the issue
    4. Proof of vulnerability
    5. Impact (based on OWASP Risk Score Methodology)
    6. How to fix the issue
  2. Once submitted, we will acknowledge that we have received your report with a non-automated reply within 7 days and provide an outline response plan where applicable. The report will be verified by Independent 3rd party security specialists from Bit Sentinel, a cyber security services provider with an acknowledged mission to protect businesses against cyber threats.
  3. We confirm the issue & start working on a patch
  4. We confirm that we have fixed the issue and ask you for retest the bug
  5.  You will be added on the Hall of Fame and, if the vulnerability is accepted for reward, you get rewarded
  6. The vulnerability can be responsibly disclosed and published after we give our consent, but not earlier than 60 calendar days after you have notified FootballCoin; the disclosure should not contain any sensitive information about our technology or customers information

Please note that we also accept anonymous submissions.

Rewards

Any vulnerability reported and accepted by the independent 3rd party security specialists from Bit Sentinel will appear on the Hall of Fame in maximum 30 days after the bug is confirmed.

We may offer rewards in XFC coins or collectible player cards for reports involving critical vulnerabilities but this type of reward is not guaranteed for now.

We won’t offer rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. Any tax implications fall under your full responsibility, depending on your country of residency and citizenship. Moreover, further restrictions may apply, also depending upon your local law.

Hall of Fame

We want to thank all the security researchers who helped us improve the security of our product. Special mention goes to the following:

Our Commitment

If your actions are performed in good faith and follow this policy we commit to the following:

  • The information that you share with us as part of this process will be kept confidential within FootballCoin and our directly contracted suppliers involved in this process. It will not be shared with third-parties without your permission.
  • We won’t initiate any legal action against security researchers attempting to find vulnerabilities within our systems who adhere to this policy and do not try to exfiltrate sensitive information for malicious use
  • If you report a vulnerability that materially affects our services or infrastructure, we will give you thanks with public acknowledgment.

Other Limitations

  • This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
  • Your testing must not violate any law, or disrupt or compromise any data that is not your own.
  • To avoid potential conflicts of interest, we will not grant rewards to people employed by FootballCoin companies who develop code for devices covered by this program
  • If applicable, FootballCoin will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.