LAST UPDATED: OCTOBER 2022
1. Policy Statement
1.1 The DAZN Group (“DAZN”) is committed to protecting the confidentiality and integrity of its digital platform. We recognise that the security research community play an integral role in helping us improve our products and services and keep our customers and employees safe. We want security researchers to feel comfortable reporting bugs and vulnerabilities they’ve discovered so we can fix them and protect our customers, company and our brand. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith and whilst we value those who take the time and effort to report bugs and security vulnerabilities according to this policy, we do not offer monetary rewards for bugs and vulnerabilities disclosures. We will, however, make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can.
1.2 This Responsible Vulnerabilities Disclosure Policy explains how we work with the security research community to improve our security and applies to any bugs and vulnerabilities you are considering reporting to us. We recommend reading this policy fully before you report a bug and/or a vulnerability and act at all times in compliance with it.
1.3 If you comply with this policy during your security research, we will consider your research to be authorised and we will work with you to understand and resolve the issue quickly.
1.4 We actively endorse and support working with the research and security community to improve our online security.
1.5 We are committed to:
- investigating and resolving security issues in our products and services
- working in collaboration with the security community
- responding promptly and actively
1.6 We may amend this policy at any time.
2. Scope
2.1 This policy applies only to vulnerabilities in our products and services under the following conditions:
- "In scope" vulnerabilities must be original, previously unreported, and not already discovered by internal procedures.
- Volumetric vulnerabilities are not in scope; this means that simply overwhelmeing a service with a high volume of requests is not in scope.
- Reports of non-exploitable vulnerabilities, or reports indicating that our services do not fully align with "best practice" (for example missing security headers) are not in scope.
- TLS configuration weaknesses, for example "weak" cipher suite support or the presence of TLS 1.0 support, are not in scope.
2.2 In Scope Vulnerabilities
The following are examples of vulnerabilities that may be within the scope of this policy
- Exposure of sensitive data (examples: PII)
- Remote Code Execution
- SQL Injection
- Authentication Bypass resulting in access to a user account or content re streaming
- Exposed access tokens
- Cross-Site Scripting
- Exposed S3 buckets
- Cross-site request forgery that results in accessing another user’s account
2.3 Out of Scope Vulnerabilities
The following are examples of vulnerabilities that will be out of the scope of this policy:
- Denial of Service attacks and rate limiting
- Phishing or social engineering
- Missing headers (HSTS, CSP, etc.)
- Weak SSL/TLS/SSH algorithms or protocols
- Clickjacking
- Banners or version information disclosure
- Full path disclosure
- XSS mitigation headers
- Crash reports (mobile)
- Insecure cookie settings
- Reusage of passwords from public dumps
3. Reporting
3.1 If you believe you have found a security vulnerability, please submit your report to us using the following email: security@DAZN.com.
3.2 In your submission, please provide us with as much detail of the security vulnerability as possible. This includes (but is not limited to) details of:
- The website, IP or URL page where the vulnerability / bug is located and/or can be observed.
- A brief description of the type of vulnerability, for example; “XSS vulnerability”.
- An outline of potential risk and impact of the vulnerability.
- Screenshots or screen captures to illustrate the evidence of where the vulnerability / bug can be observed.
- Steps required to reproduce the issue. These should be a benign, non-destructive, proof of concept.
This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
4. What To Expect
4.1 After you have submitted your report, the team will triage the reported vulnerability and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope or whether it is a duplicate report. If remediation work is necessary, it will be assigned to the appropriate team.
4.2 Priority for remediation is assessed by looking at the impact, severity and exploit complexity. It may take some time for a team to address your report. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the reports and remediation as much as possible.
4.3 We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
4.4 Once the vulnerability has been resolved, we welcome requests to disclose and acknowledge your report. We would like to unify our guidance, so please do continue to coordinate any proposed public release with us.
5. Guidance
5.1 You must NOT:
- Break any applicable law or regulations.
- Access customer or employee personal information or DAZN’s confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
- Access unnecessary, excessive or significant amounts of data.
- Modify or destroy data in DAZN’s systems or services.
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
- Disrupt or degrade our services, systems or the DAZN user experience.
- Communicate any vulnerabilities or associated details other than by means described in this policy.
- Social engineer, ‘phish’ or physically attack our staff or infrastructure.
- Demand financial compensation in order to disclose any vulnerabilities.
- Include any of DAZN’s internal data with your report.
5.2 You must:
- Stop testing and report the issue immediately if you gain access to any non-public application, non-public credentials, or non-public services and systems.
- Always comply with applicable data protection legislation and must not violate the privacy of our users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from DAZN’s systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within one (1) month of the vulnerability being resolved, whichever occurs first (or as otherwise required by applicable data protection law).
6. Legalities
6.1 By submitting a report to DAZN, you agree to keep the subject matter of the report, as well as all subsequent related conversations with DAZN, strictly confidential. This allows DAZN the opportunity to investigate and take action as needed.
6.2 This policy is designed to be compatible with common vulnerability disclosure good practices. It does not give you permission to act in any manner that is inconsistent with applicable law, or which might cause DAZN to be in breach of any applicable legal obligations, including but not limited to:
- The General Data Protection Regulation 2016/679 (GDPR) (including as transposed into UK law by the European Union (Withdrawal) Act 2018 (UK GDPR)) and the UK Data Protection Act 2018.
6.3 Please note that this policy does not provide any form of indemnity for any actions if they are either in breach of applicable law or of this policy. It does not provide any indemnity from either DAZN or any third party.
6.4 To the extent compatible with DAZN’s legal obligations, we will not take civil action against or seek prosecution of security researchers who report any bugs and security vulnerabilities on our product, service or system, where the researcher has acted in good faith and at all times in compliance with this policy.
7. Feedback
7.1 If you have any questions about responsible disclosure or wish to provide feedback on this policy, then please contact us via the submission email in Section 3.1 above. The policy will evolve over time, with best practices and lessons learnt, therefore, your input is encouraged and will be valued to ensure that this policy remains clear, complete, and relevant to anyone using it.