Responsible disclosure
At the Norwegian Postcode Lottery our customers, and hence the security of our systems, is top priority. If you believe you have discovered a vulnerability that may impact the security of our systems we are grateful for receiving information about it. Please submit your findings via our Responsible Disclosure Report-system. You will find the link below.
Please do the following:
- Report the vulnerability as quickly as is reasonably possible, to minimise the risk of hostile actors finding it and taking advantage of it.
- Report in a manner that safeguards the confidentiality of the report so that others do not gain access to the information.
- Provide sufficient information to reproduce the problem, so we will be able to resolve it. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient. However, complex vulnerabilities may require further explanation.
Please do not:
- Reveal the vulnerability or problem to others until it is resolved.
- Copy, modify or delete data in the system.
- Use distributed denial of service or denial of service, brute force attacks, social engineering, spam or applications of third parties to gain access to the system.
- Abuse the vulnerability. If this happens we may have to pursue legal action.
What we promise:
- We will respond to your report within five business days with our evaluation of the report and an expected resolution date. We will keep you informed of the progress towards resolving the problem.
- If you have followed the instructions above, we will not take any legal action against you concerning the report.
- You may report under a pseudonym or anonymously.
- If you chose to state your name, we will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation.
- You may refuse publication of your name at any publication of information regarding reported issues.
- We strive to resolve all problems as quickly as possible, and we would like to be the sender of any publication on the problem.
Qualifying vulnerabilities
We define qualified vulnerabilities as follow: Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues and privilege escalation. These qualified vulnerabilities must have an impact on the security of the web application and an increased risk for our customers. In order for us to i.a. be able to state your name in any publication, you must be the first researcher to responsibly disclose the vulnerability.
Each submission will be evaluated on a case-by-case basis. Below is a list of some of the issues which don’t qualify as security vulnerabilities:
- Reports of old software versions
- Missing best practices
- Using components of known vulnerability without relevant POC of attack
- Automated tool scan reports. Example: Web, SSL/TLS scan, Nmap scan results etc.
- Self-XSS and XSS that affects only outdated browsers UI and UX bugs and spelling mistakes
- TLS/SSL related issues
- SPF, DMARC, DKIM configurations
- Vulnerabilities due to out of date browsers or plugins
- Content Security Policies (CSP)
- Vulnerabilities in end of life products
- Lack of secure flag on cookies
- Username enumeration
- Vulnerabilities relying on the existence of plugins such as Flash
- Flaws affecting the users of out-of-date browsers and plugins
- Security headers missing such as, but not limited to "content-type-options", "X-XSS-Protection"
- CAPTCHAs missing as a Security protection mechanism
- Issues that involve a malicious installed application on the device
- Vulnerabilities requiring a jailbroken device
- Vulnerabilities requiring a physical access to mobile devices
- Use of a known vulnerable library without proof of exploitability
- Click/Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element
- Host header and banner grabbing issues
- Denial of Service attacks and Distributed Denial of Service attacks
- Rate limiting, brute force attack
- Login/logout/low-business impact CSRF
- Session fixation and session timeout
- Formula/CSV Injection
Other information:
- Financial compensation for your information in accordance with above, is not paid.
Thank you for your contribution.