Dapper Labs Responsible Disclosure Program
Dapper was built from the ground up with security in mind. Our code, infrastructure, and development methodology help us keep our users safe.
We appreciate and encourage the security researcher community to report potential vulnerabilities in our assets.
Guidelines for Responsible Disclosure
If you identify a vulnerability, please notify us using the following guidelines.
Things To Do:
- Make every effort to avoid unauthorized access, use, downloading, destruction, or disclosure of personal or confidential information.
- Avoid actions which could impact user experience, disrupt production systems, change, or destroy data during security testing.
- Use our provided communication channels to report vulnerability information to us.
- Keep information about any vulnerability you discover confidential between us for a reasonable time that will allow us to review and resolve the vulnerability or until we have notified you that the vulnerability has been resolved.
- Only test assets covered by the “Assets In Scope” section.
Things Not To Do:
- Do not include Sensitive Data in your reports. See the “Sensitive Data” section for further information.
- Do not perform any attack that may cause denial-of-service to the network, hosts, applications, or services on any port or protocol.
- Do not use automated scanners to crawl us or hammer endpoints.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Do not perform physical testing such as office and data-center access (e.g., open doors, tailgating, card reader attacks, or physically destructive testing).
- Do not test assets explicitly listed in the “Assets Out of Scope” section.
Assets In Scope
To be eligible for a reward, you may report a vulnerability in one or more of the following Dapper assets:
- NBA Topshot Mobile App for both iOS (AppStore) and Android (PlayStore) platforms
Assets Out of Scope
The following assets are excluded from the Responsible Disclosure Program:
- staging environments ("staging" will be in the URL)
In the interests of protecting privacy, we never want to receive reports containing:
- Personal Information
- Payment card data (e.g. credit card numbers)
- Financial information (e.g. bank account numbers)
- Accessed or cracked credentials in cleartext
Exclusions (Non-Qualifying Vulnerabilities)
The following vulnerabilities are excluded from this program:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user's device.
- Use of a known-vulnerable library without evidence of exploitability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service or denial-of-service attack (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or brute force issues on non-authentication endpoints.
- Missing best practices in Content Security Policy (CSP).
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (Invalid, or incomplete SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers (i.e., less than two stable versions behind the latest released stable version).
- Software version disclosure, banner identification issues, or descriptive error messages or headers (e.g., stack traces, application, or server errors).
- Issues that require unlikely user interaction.
- Social engineering of Dapper staff or contractors.
Our Commitment To You
Activities conducted in accordance with the Responsible Disclose Program shall be considered authorized, and we will not initiate legal action against you. Dapper reserves all legal rights in the event of noncompliance with this program.
We will work with you and investigate and resolve vulnerabilities within a reasonable timeframe.
We reserve the right to change the Responsible Disclosure Program at any time.
Rewards are based on the severity of the vulnerability. Reward amounts, if any, will be determined by us in our sole discretion. A maximum of $1M of rewards per person or organization shall be paid within any 12 consecutive months based on the reward value at time of payment. Additionally, all bounty rewards are subject to applicable law.
To qualify for a reward, the vulnerability must fall within our Assets In Scope, comply with our Responsible Disclosure Guidelines, and meet the following criteria:
- Previously unknown - When reported, we must not have already known of the issue, either by internal discovery or other report.
- Material impact - Demonstrable vulnerability where, if exploited, the vulnerability would materially affect the confidentiality, integrity, or availability of our assets.
- Requires action - The vulnerability requires some mitigation.
- Your participation is not prohibited by applicable law.
Reporting Vulnerabilities To Us
Please report any vulnerabilities to us at [email protected].
If you prefer to encrypt the information you send us please use our PGP key at OpenPGP Key Server.
Please include the following details with your report:
- A description of the location and potential impact of the vulnerabilities;
- A detailed description of the steps required to reproduce the vulnerability; and
- Any proof of concept, screenshots, and screen captures, where feasible.
Please respond to any follow-up requests from our team for updates or additional information.