Vulnerability Disclosure Policy

Public

08/2024

At Sport Heroes, we prioritize the security and privacy of our customers. We recognize and

appreciate the valuable contributions made by security researchers who responsibly disclose

vulnerabilities to us. This policy outlines the terms under which you may conduct security

research on our digital assets and the process for reporting vulnerabilities.

Authorized Research Activities

To ensure your research is considered authorized under this policy, you must:

1. Act in Good Faith: Conduct all research with the intention of improving the security of

Sport Heroes and our customers. Avoid any actions that could damage or negatively

impact our systems, applications, or data.

2. Prompt Notification: Notify Sport Heroes immediately upon discovering a real or

potential security issue. This helps us address vulnerabilities swiftly and minimize

potential harm.

3. Public Disclosure: You may only disclose the vulnerability publicly after we have

deployed a fix, and only with our mutual agreement. This agreement will outline the

timing and details of the disclosure to ensure it aligns with our security protocols.

Prohibited Actions

To protect our systems and the data of our customers, you must not:

1. Unauthorized Data Access: Access, modify, or remove data from accounts you did not

create. Respect the privacy and security of data that does not belong to you.

2. Destructive Testing: Use high-intensity invasive or destructive tools that could cause

harm to our systems or data.

3. Low-Quality Submissions: Submit reports that are of low quality, such as those

containing only the results of automated scanners without additional analysis or context.

4. Restricted Testing Methods:

○ Denial of Service (DoS or DDoS) attacks, or any other activity that impairs

access to our systems or damages data.

○ Physical testing, including attempts to gain unauthorized access to our office

spaces or equipment.

○ Social engineering tactics, including phishing or any other form of non-technical

vulnerability testing.

○ Unauthorized disclosure of findings to any third party without prior written consent

from Sport Heroes.

5. Exploitation of Vulnerabilities: Do not exploit vulnerabilities beyond what is necessary

to confirm their existence. This includes:

○ Compromising or exfiltrating data.

○ Establishing persistent access or command-line control.

○ Pivoting to other systems. If you are uncertain about the extent of testing

required, report the issue to us first.

Scope of the Policy

This policy applies to all digital assets owned, operated, or maintained by Sport Heroes. This

includes, but is not limited to, our websites, applications, and APIs. However, it excludes

third-party services that can be accessed through our subdomains or are integrated with our

products. Researchers should refrain from testing these third-party services.

Reporting Vulnerabilities

If you discover a vulnerability, you can report it to us via email at: security@sportheroes.com.

If your report contains sensitive information, you can encrypt your communication using our

public PGP key.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZtGruxYJKwYBBAHaRw8BAQdA9WNl0Apc2+xpfA+3i7HJf5YjwN1dE3B9jT3M

s2XWE2W0WlNwb3J0IEhlcm9lcyAtIFNlY3VyaXR5IFRlYW0gKFNwb3J0IEhlcm9l

cyAtIFNlY3VyaXR5IFRlYW0gUEdQKSA8c2VjdXJpdHlAc3BvcnRoZXJvZXMuY29t

PoiZBBMWCgBBFiEECRE8vgfMop5ZyNTyHKVRpQWRIiUFAmbRq7sCGwMFCQHhM4AF

CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQHKVRpQWRIiVchQD/eviFC+Q8

Kb+qDbkELjAslF9998R1JbgxHgrNXtmTurIA/RELz8jswDlV+TLOfNWj5leWfN4Y

u4+ITJD33DF9w6AFuDgEZtGruxIKKwYBBAGXVQEFAQEHQC4ofd0uZ3Wvt12EAMjG

DbE3U/XYB1YR3Uxo+3eHA9IQAwEIB4h+BBgWCgAmFiEECRE8vgfMop5ZyNTyHKVR

pQWRIiUFAmbRq7sCGwwFCQHhM4AACgkQHKVRpQWRIiWa7gEA7nzEy5MtK9eQCVY+

5JbgWn9B3Kcxz8bFJRb7vMZ2rJEBAPAuCaGv6PBs064GwEf2O2R4i2gHPy+FI2fZ

oqH7TQkO

=779Z

-----END PGP PUBLIC KEY BLOCK-----

Please include detailed information about the vulnerability, including steps to reproduce it, any

potential impact, and any proof-of-concept code or screenshots. This will help us understand

and address the issue more effectively.

Recognition and Rewards

Sport Heroes may offer recognition and rewards to researchers who responsibly and ethically

disclose security vulnerabilities in accordance with this policy. The reward amount, if any, will be

determined at our discretion based on factors such as the severity and impact of the

vulnerability, and the quality of the report.

Conclusion

By conducting security research on Sport Heroes' systems, you agree to comply with this

Vulnerability Disclosure Policy. Any actions that fall outside the boundaries of this policy may

result in legal action or other consequences. We value your contributions and are committed to

working with you to keep our systems secure.

Thank you for helping us protect our community.