Swisslos (Vulnerability Disclosure Program)
Description
Swisslos offers lotteries, sports bets and instant tickets in the entire territory of German-speaking Switzerland, in Ticino and in the Principality of Liechtenstein. It structures its range of games in an attractive and responsible manner. Swisslos transfers its entire net profit to the mandating cantons and the Principality of Liechtenstein to support public causes.
Rules
Please note: This is a Vulnerability Disclosure Program, no bug bounties are paid out.
The organisation operates various services (platforms, services). But only services from explicitly listed domains / URLs are in the scope of the program. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.
By participating in this program, security researchers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of the test and to delete any local copies afterwards and not to distribute them further.
If a vulnerability provides unintended access to data: Security researchers have to limit the amount of data they access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if they encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
Hacking Methods
In participating in the program, security researchers agree not to use methods that would adversely affect the tested applications or their users. These include:
- Social engineering
- Spamming
- Phishing
- Denial-of-service attacks or other brute force attacks
- Physical attacks
In addition to the prohibited hacking methods listed above, security researchers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.
Qualified vulnerabilities
Any design or implementation problem can be reported that is reproducible and affects security.
Typical examples:
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Remote Code Execution (RCE)
- Injection Flaws
- Information Leakage an Improper Error Handling
- Unauthorized access to properties or accounts
Other examples:
- Data/information leaks
- Possibility of data/information exfiltration
- Backdoors that can be actively exploited
- Potential for unauthorized system use
- Misconfigurations
Non-qualified vulnerabilities
The following vulnerabilities and forms of documentation are generally not wanted:
- Attacks that require physical access to a user's device or network
- Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
- Self-XSS
- The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
- Reports from automated tools or scans without explanatory documentation
- Social engineering targeting individuals or entities of the organisation
- Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
- Bots, spam, bulk registration
- Reports of best practices that do not directly result in an exploitable vulnerability (e.g., certificate pinning, missing security headers)
- Use of vulnerable and "weak" cipher suites/ciphers
- Missing Rate limiting without further security impact
Scopes
Not in scope: All (sub) domains and services that are not explicitly listed, are not in scope
In scope::
- *.swisslos.ch
Services operated by swisslos
Legal
- The organisation gives their approval for security researchers to use hacking methods based on the specified briefing. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the security researchers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.
- Any security researchers who betrays a manufacturing or trade secret that is under a statutory or contractual duty not to reveal, [and] anyone who exploits for himself or another such a betrayal, is liable on complaint to a custodial sentence not exceeding three years or to a monetary penalty.