The Lottery Corporation Limited (ABN 21 081 925 706) and its related bodies corporate (we, us, our) is committed to engaging with the security community to protect our customers and the public. This Responsible Disclosure Statement allows you, as a security researcher, to responsibly share your findings with us. We encourage you to report any security vulnerability you identify as quickly as possible.
Guidelines
We require that all researchers:
- Limit security vulnerability disclosure to the steps set out in the ‘Reporting a Security Vulnerability’ section below;
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data;
- Perform research only within the limits of scope set out below;
- Use the identified communication channels to report vulnerability information to us;
- Keep information about the discovery of any defects or vulnerabilities confidential between you and us until sufficient time has passed to resolve the matter, but no less than 90 days from the date of notification of the vulnerability to us;
- Only use exploits to the extent necessary to confirm a security vulnerability’s presence.
- Do not post any virus or malware on any system or otherwise use, handle, or deploy any virus or malware;
- Do not use an exploit to exfiltrate data, establish command line access, establish a persistent presence on our systems, or “pivot” to other systems we own;
- Intentionally compromise the privacy or safety of our customers, personnel, or any third parties.
By submitting a security vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims.
Provided that you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue legal action related to your discovery and reporting of the vulnerability (in relation to any non-compliance with these guidelines, we reserve all of our legal rights);
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 10 working days upon receipt of submission); and
- Recognise your contribution on our Security Researcher Hall of Fame, if you are the first to report an issue that we have not already discovered, and we make a code or configuration change based on your report.
We may request further information regarding the finding, as necessary, and once a security vulnerability is resolved we will agree upon a date for you to be able to disclose your findings.
Scope
This Statement covers any product or service we own. If you aren’t sure whether a system or endpoint is in scope or not, you may contact us via email: security@thelotterycorporation.com.
Reported security vulnerabilities in scope if they are original, previously unreported, and not already discovered by internal procedures.
Out of Scope
Our third-party services are excluded from scope.
In the interest of safety of our users, staff, the internet at large, and you as a security researcher, the following types of tests are out of scope:
- Physical testing of facilities or services;
- Social engineering, sending unsolicited electronic mail to our staff or members, including “phishing”;
- Producing findings via an account that does not belong to you;
- “Denial of Service” or “Resource Exhaustion” attacks.
Things we do not want to receive:
- Sensitive data, including
- Personally identifiable information;
- Credit card holder data;
- Financial information;
- Proprietary information; or
- Trade secrets of any party;
- Reports indicating minor issues relating to security “best practise”, for example:
- Missing security headers – CSP, x-frame options, etc; and
- Suboptimal email related configuration – SPF, DMARC, etc).
This Statement is intended to align with all relevant legislative requirements and does not give you permission to breach any laws nor cause us to breach any laws.
Reporting a Vulnerability
To report a security vulnerability or security defect, email security@thelotterycorporation.com.
In your email, please provide as much information as possible, including:
- A short description of the location and impact of the security vulnerability;
- Enough detail so we can reproduce your steps, (Proof of Concept – ‘PoC’ scripts, screenshots, supporting evidence, and compressed screen captures are all helpful to us);
- Your name/handle and a link for recognition in our Hall of Fame;
- Any suggestions you have about how to fix the security vulnerability;
- Any other relevant information.
By reporting a security vulnerability disclosure to us you consent to us collecting your researching name and/or handle for the purpose of publishing your details in our responsible disclosure hall of fame (if you do not wish to have your details published, please let us know at time of disclosure).
We request that you encrypt your report using our PGP key and that you delete the data as soon as it is no longer reasonably required.
If you are unsure whether your actions are in-line with our Statement, please email our security team for guidance, email security@thelotterycorporation.com.