Nine Entertainment Vulnerability Disclosure Program

  • Safe harbor

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 6
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

No technology is perfect and Nine Entertainment believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you have identified a vulnerability in one of our systems, services or products, you can report it to us through this program.


For the initial prioritisation/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Out-of-Scope / Exclusions

  • Volume related issues (e.g. brute force, rate limiting, DoS/DDoS).
  • Any attacks on our customers or end users
  • Use stolen/breached user credentials.
  • Do not modify, delete/destroy or retain Nine or Nine customers' data.
  • Social engineering, phishing, or physical testing (e.g. premises, equipment).
  • Researchers should not pursue post-exploitation unless explicitly approved.
  • Attacks against social media or third party services that Nine use (LinkedIn, Twitter, etc).
  • Vulnerabilities affecting users of outdated browsers.
  • Cookie flags ie. Secure, HTTPOnly.
  • Absent or misconfigured HTTP headers ie. Content-Security-Policy, Strict-Transport-Security, X-XSS-Protection, Cache-Control.
  • Clickjacking i.e. missing X-Frame-Options header.
  • Email configuration e.g. SPF, DKIM, DMARC.
  • Error pages i.e. verbose error messages, stack traces, invalid status codes.
  • Functional, UI and UX bugs and spelling mistakes.
  • Configuration that is not directly exploitable ie. weak TLS ciphers, password policy, session expiration, certificate pinning, Security headers divulging software version information.
  • No automated scanning
  • Non-sensitive exposed API keys e.g. Google Maps, Raygun.
  • Generic vulnerability scan results without proof of concept or a clear path to exploitation.
  • Please do not submit contact forms, create support tickets, send emails, etc. that will generate work for a human outside of the security team. Use your email if needed for research related work.

The use of personal credentials, your own or discovered, for testing purposes is allowed. If you have any questions regarding this matter, please contact


You must treat all information about our systems, staff or customers that comes into your possession or that you otherwise become aware of, which is not publicly available, as strictly confidential and not share or otherwise use it for any purpose other than responsible disclosure.


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.