Fanduel invites you to test and help secure our primary publicly facing assets - focusing on our web, mobile, and api applications. We appreciate your efforts and hard work in making the internet (and Fanduel) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We offer financial rewards of up to US$2000 for newly discovered, validated and reproducible vulnerabilities found in line with this bounty brief. Please see the below for minimum rewards, by severity:
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,000 - $2,000|
|p2 Severe||$750 - $750|
|p3 Moderate||$300 - $300|
|p4 Low||$100 - $100|
Out of scope
Any domain/property of Fanduel not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
- Researchers are encouraged to sign up for a free account at www.fanduel.com. When registering, please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here
- Additional credentials will not be issued for admin.fanduel.com or api.fanduel.com access.
Mobile applications can be downloaded at:
If you wish to test transactions you will need to add funds, via the Add Funds function. The minimum deposit is US$10. After testing, you may request a refund of your deposit by completing this form http://goo.gl/forms/kIyb9WeRI1
Please note, adding funds is currently restricted to US and Canada residents only. In addition, residents of the following US States are not permitted to add funds:
These issues are of particular interest and will be considered for top rewards:
- Remote Code Execution
- Significant Authentication Bypass
- Cross Site Request Forgery on Critical Actions
- Cross Site Scripting (excluding self-XSS)
- Exfiltration of Sensitive Data or PII
Out of Scope:
- No findings relating to a lack of rate limiting (login, email triggering, or otherwise) will be accepted for this program