Privacy of our player and participant data is a top priority for Australian Cricket (AC), and we value the contributions of the cyber community in improving the security of our assets and services.
This program outlines our commitment to addressing security issues and encouraging responsible disclosure of security vulnerabilities.
Scope of this program
The scope of this program includes any products or services, websites and applications owned or managed by AC to which researchers and the public have lawful access to.
This program does not authorise:
- individuals or groups to undertake hacking or penetration testing against AC Systems;
- physical or Social Engineering attacks or phishing;
- Denial of Service or DDoS Attacks;
- attempts to modify, destroy, extract or exfiltrate data;
- any other action that is unlawful or may harm AC systems, services or people;
This program does not relate or apply to internally sourced security testing or assessments.
Reporting Vulnerabilities
If you discover a security vulnerability on our website, we encourage you to report it to us. We request that you provide us with the following information when submitting a report.
- A detailed description of the vulnerability and its potential impact
- Steps to reproduce the vulnerability, including any necessary tools or scripts
- Where possible, a CVE for the vulnerability
- Your contact information (email address and/or preferred means of contact)
- Your preferred name/alias for recognition
Guidelines
- We encourage you to make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Do not disclose the vulnerability to the public before it has been resolved
- Do not engage in malicious activities
How to report
Please submit your vulnerability report via email to vulnerabilitydisclosures@cricket.com.au. You may use encryption when submitting sensitive information.
Security.txt
We have a security txt file, which contains information on how to report security vulnerabilities and our details, it is located at https://www.cricket.com.au/.well-known/security.txt. We encourage you to review this file for specific guidance on responsible disclosure.
Our commitment
Upon receiving your report, we will:
- Provide you with a written acknowledgement within 5 working days
- Investigate and confirm the vulnerabilities existence within 10 working days
- Notify you of the steps being taken to address the issue and an estimated timeline for resolution
- Keep you updated on our progress and notify you when the issue is resolved
- We may ask you to retest the vulnerability to confirm that it has been resolved.
Recognition
We value the assistance of security researchers and ethical hackers. We maintain an acknowledgement register on our website to recognise their contributions.
Feedback and Questions
If you have any questions, feedback or concerns regarding this policy, please contact us at vulnerabilitydisclosures@cricket.com.au
Policy changes
This policy is subject to change as the landscape evolves. Any modifications will be posted on our website, and we encourage you to review this policy periodically.
Australian Cricket entities reserve the right to modify this policy at any time.
Acknowledgements
- Gaurang Maheta
- Keyur Maheta