If you have found a security bug in an Oddschecker (part of Sky Betting & Gaming) product and want to report it to us, you've come to the right place.
Our security philosophy
As a provider of a wide range of exciting betting and gaming products, we recognize how important it is to help protect the privacy and security of our customers while making use of one of our services. We understand that secure products are key in earning and maintaining the trust that our customers place in us.
Oddschecker takes the security of our products and services very seriously. We educate our staff on security best practices and our development process includes peer review and penetration testing to help ensure that our products delivered are secure and of a high quality. However, like all complex software, it is possible for a security vulnerability to make it into one of our products despite our best efforts.
Who should I report vulnerabilities to?
If you discover a security issue in a Oddschecker product or service, we ask that you report it to us confidentially in order to protect the security of our services. Please email the details to our security team at firstname.lastname@example.org. We will investigate all reports and do our best to quickly fix valid issues.
What issues can I report?
We welcome reports of all security vulnerabilities, including:
- Web security problems (e.g. cross-site scripting and SQL injection problems)
- Game exploits (e.g. insta-win bugs or third party game modifications)
- Other security concerns (e.g. infrastructure security problems, information disclosure issues)
What details should you include when reporting a security issue?
Please provide as many relevant details as you can. In particular:
- What product or site was involved
- What steps someone can follow to go from an initial browser load to a point where they see the vulnerability
If you are a professional penetration tester or other technical user then please additionally provide any of the below additional detail
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Proof-of-concept or exploit code
- Target URL, domain, host, port etc
- Your client system OS, browser/toolset etc, and versions of each.
- Traces and command output if relevant
- Sample packet captures or HTTP responses, headers etc
- Cookie values, browser user agents used etc
- Any special client-side tools or configuration needed to report the issue
- Copies of payload (HTTP request, XML/data payload)
- Links to associated CVE IDs for the vulnerability, if relevant
Can I use automated scanning tools to look for vulnerabilities on your sites?
No, we expressly forbid the use of automated scanning tools against our products and services, since they can cause high volumes of requests that may impact our other customers.
How quickly will you get back to me?
You should receive a response from our security team within 24 hours acknowledging receipt of your report. We take security issues seriously and will respond swiftly to triage and confirm verifiable security issues. After confirming the issue is genuine, we will assign resources to further investigate the issue and fix problems as quickly as possible. Please note that some of our products are complex and may take time to update. We undertake to do our best to update you with a timeline for resolving the issue.
Can I reveal details of the vulnerability to others?
We ask that vulnerabilities discovered are handled in a way that obtain the best outcome for our customers, and specifically that anyone discovering a vulnerability follows responsible disclosure practices, including:
- They do not publish the vulnerability prior to Oddschecker releasing a fix for it
- They do not divulge exact details of the issue publicly, for example, through exploits or proof-of-concept code
In return, we commit to making it easy for you to report a vulnerability and to keep you updated as to the progress of the resolution. We do not operate a formal bug bounty programme, and are unable to offer any financial reward to anyone reporting a vulnerability to us.