Sportradar VDP Pro

The security and the safety of our information systems and assets is our top priority. We at Sportradar actively encourage anyone who believes they have discovered a vulnerability (or a “weakness” or an “issue” or a “bug”) in our systems to act immediately to help us improve and strengthen the safety of our systems by sharing
it with us.

We are thankful to you for taking the time to report to us the weaknesses that you discover if it is done so in adherence to the following responsible disclosure guidelines as stipulated under this Policy. Good luck, and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be further modified in accordance with its likelihood to occur, at Sportradar’s own discretion. In any instance where an issue is downgraded, a full, detailed explanation will be provided to you.

Rules of Engagement

• Do not intentionally access non-public Sportradar data any more than is necessary to demonstrate the vulnerability. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability)
• Do not permanently modify or delete Sportradar hosted data
• Do not DDoS or otherwise disrupt, interrupt or degrade our internal or external services
• Do not put a backdoor in the system, not even for the purpose of showing the vulnerability
• Do not share confidential information obtained from SportData - Social engineering is out of scope.
  
• Do not send phishing emails to, or use other social engineering techniques against, anyone, including Sportradar staff, members, vendors, or partners
• Do not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
• Do not attack, in any way, our end users, or engage in trade of stolen user credentials. However, should you become aware of such trade, we would certainly appreciate being informed
• Do not disclose any vulnerabilities in Sportradar systems/services to 3rd parties/the public prior to the Sportradar confirming that those vulnerabilities have been mitigated or rectified.
• For any issues reported; detail the type of issue, any versions or URL’s that are vulnerable to it, methods to reproduce the issue, as well as the impact and exploitability of it.
• If reporting XSS issues (in particular) detail the browser type and version used, together with any other relevant information (URL, fields, input provided, etc.).
• Identify HTTP requests used during testing only with a custom HTTP header with the format X-Security-Testing=email_address_at_domain.tld .\
• Report acceptance and the determination of reported findings is at the sole discretion of Sportradar. This includes if, how and when any vulnerability is publicly disclosed.

Remediation policy

We aim to remediate reported vulnerabilities as soon as possible, with higher priority given to higher severity bugs reported. We aim to remediate all accepted reports within 90 days. If we do need more time to fix a reported bug, we will notify the security researcher.

Disclosure of vulnerabilities is only accepted after the vulnerability has been remediated and the report has been closed by our security team. If this takes more than 90 days, the security researcher will be notified both of the delay, and when the vulnerability has been remediated.