Report a vulnerability
About
The security of our systems is a top priority and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities. We are keen to engage with the security community.
This policy allows security researchers to responsibly share their findings with us. If you think you have found a potential vulnerability in one of our systems or our services, please tell us as quickly as possible.
BetStop - the National Self-Exclusion Register™ (the register) cannot compensate you for finding potential or confirmed vulnerabilities. However, we can credit you as the person who discovered the vulnerability by publishing your name or alias.
This policy does not authorise security researchers to conduct security testing against BetStop - the National Self-Exclusion Register. If you think a vulnerability exists, report it to us. We can test and verify it.
What it covers
This policy covers:
- the BetStop - the National Self-Exclusion Register™ service and associated systems to which you have lawful access
- any services we provide to wagering providers, their platform providers or other users to which you have lawful access
- any services owned or operated by third parties that are utilised as part of our service that you have lawful access to.
Security research allowed
Security researchers may:
- View or store BetStop - the National Self-Exclusion Register non-public data you have lawful access only to the extent necessary to document the presence of a potential vulnerability.
- Access all BetStop - the National Self-Exclusion Register internet-accessible, public facing, systems or services.
Security researchers should:
- Upon discovery of a vulnerability or exposure of non-public data, cease testing and notify us immediately.
- Purge any stored BetStop - the National Self-Exclusion Register non-public data upon reporting a vulnerability.
Security research not allowed
Under this policy, Security researchers must not:
- Disclose vulnerability information publicly or disclose personal information to any third party.
- Engage in physical testing of facilities or resources (e.g. office access, open doors, tailgating) or any other non-technical vulnerability testing.
- Leverage deceptive techniques, such as social engineering, against our employees, contractors or any other party.
- Send unsolicited electronic messages to BetStop - the National Self-Exclusion Register users, including "phishing" messages.
- Execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service).
- Leverage automated vulnerability assessment tools.
- Test in a manner which could degrade the operation of our systems.
- Introduce malicious software or similar harmful software that could impact our services or users or any other party.
- Engage in unlawful or unethical behaviour.
- Reverse engineer BetStop - the National Self-Exclusion Register software or systems.
- Modify, destroy, share, or retain data stored by BetStop - the National Self-Exclusion Register, or render register data inaccessible.
- Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on BetStop - the National Self-Exclusion Register systems, or "pivot" to other systems.
- Submit false, misleading or dangerous information to BetStop - the National Self-Exclusion Register systems.
- Impair, disrupt, or disable BetStop - the National Self-Exclusion Register systems.
- Access or attempt to access accounts or data that does not belong to you.
- Test third-party applications, websites, or services that integrate with or link to or from BetStop - the National Self-Exclusion Register systems.
Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:
- Clickjacking, social engineering or phishing.
- Weak or insecure SSL (secure sockets layer) ciphers and TLS (transport layer security) certificates.
- Misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance).
- Missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy).
- Theoretical cross-site request forgery and cross-site framing attacks.
- Denial of service (DoS).
- Physical attacks against the BetStop - the National Self-Exclusion Register, our employees or property belonging to us or our employees.
- Attempts to modify or destroy data.
How to report
To report a potential security vulnerability, please use the web form to contact us.
In the webform use the Provide Feedback option and enter your report in the text box provided.
Clearly state that you are reporting a security vulnerability and include enough detail so we can reproduce your steps. For instance:
- an explanation of the potential security vulnerability
- a list of services that may be affected (where possible)
- steps to reproduce the vulnerability
- proof-of-concept code (where applicable)
- the names of any test accounts you have created (where applicable)
- your contact information (you may remain anonymous, see below).
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our privacy policy.
You have the option to remain anonymous, however our ability to respond effectively to the vulnerability may be hampered, and we will not be able to follow up or acknowledge your contribution.
What next
Unless you have chosen to remain anonymous, we will:
- Acknowledge your report within 1 business day and respond to your report within 5 business days.
- Keep you informed of our progress, agree upon a date for public disclosure and credit you as the person who discovered the vulnerability (unless you prefer us not to).