Bug Bounty Program / Reporting Security Issues

No technology is perfect, and Showmax believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy and Rules of Participation

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • You may only test against accounts you have created.
  • You must not attempt to gain access to, or interact with, any accounts other than those created by you
  • Rules for reporting must be followed
  • This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists
  • Showmax reserves the right to modify the rules for this program or deem any submissions invalid at any time. Showmax may cancel the Bug Bounty program without notice at any time.

Eligibility

Scope of bug hunting project is limited to services directly provided by Showmax. Such as web, api, native applications. Please note that bugs in third-party components only qualify if you can prove that they can be used to successfully attack Showmax.

Eligible services/products:

Out of scope: We don’t consider 3rd party services as eligible for this program (for example https://help.showmax.com which is hosted by 3rd party).

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories:

  • Authentication related issues (e.g. authentication bypass for login to My Account)
  • Authorization related issues (e.g. authorization bypass for asset playback)
  • SQL Injection (SQLi)
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Data Exposure
  • Redirection Attacks
  • Remote Code Execution
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit and/or bounty.

  • SSL vulnerabilities related to configuration or version
  • Denial of Service (DoS)
  • User enumeration
  • Brute forcing
  • Secure flag not set on non-sensitive cookies
  • HTTPOnly flag not set on non-sensitive cookies
  • Logout Cross Site Request Forgery (CSRF)
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • HTTP TRACE method enabled
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)
  • Any physical attempts against Showmax property or data centers
  • Social engineering (including phishing) of Showmax staff or contractors
  • Spamming

Indemnification

Showmax will not pursue legal action against security researchers who follow the guidelines outlined in this document and responsibly disclose vulnerabilities to us.

How to report security issue

Please use HackerOne platform or email security-report@showmax.com. If you feel the email should be encrypted, our PGP key is

``` —–BEGIN PGP PUBLIC KEY BLOCK—–

mQENBFgcfOQBCADZB4Farb/Qepk2rFuv+DK0qexEvMl+KLno74c4pdY90xIDXSsi RdyV5ysuNXMQGFgrcKWgLxeTwEYTlktzgbHfxNWpdfyPp5GHpS0OXkDng1HIujy/ DYyNu+wlYE61mwrEpd3VYL54t0+y+OiioQXV0PXATvvN4zhDWuj8WHJgubqxlMAk j2kx0yviO3R6NKRfPDAV1GMUMUwaaZBDRWgJ0AkEeWkZYLQi9Q/aIj3SJx9Zipvv LLpz2CvAR6k9TDDusTjIFazih6vwFzo93amzg5mFHfZYcGIRmCaEydb48v76ggNE vhPS2qUvf/D+6Mpl3b5YkY8xfW38Iw8QGqDzABEBAAG0J1Nob3dNYXggU2VjdXJp dHkgPHNlY3VyaXR5QHNob3dtYXguY29tPokBNwQTAQgAIQUCWBx85AIbAwULCQgH AwUVCgkICwUWAgMBAAIeAQIXgAAKCRBdAKhLmB5ZffzTB/sG4vJy2R9eh/b/8oQv EbA5jVyOurF9JE31JhXxraCjf6pP2sHm3BDBJmTKP+zKUp9cKwtLJK5ld0awc+ym fjE6JTOVLIfdD/sTAwgtFSt8KrH01mvYL1EShpuhk0T7mD+757Y/+nsQl471mv6V UVKCk3mz5QZ0Nb1Qi72YfhkXNXUSdnKbEAMDKMjBxx1y48GtkeBrLUm1btPtO1vY KIsthrr0D6AyAkHn3oIirgNPjabG9MtW6edKkAf7BuWRz5uFOdlzfVu+Gf2j4+Fs AhkVZpZoRM/yd4rxmYwEURvyOQvNVr2QFtYNmU+63yyNZkijVAEnLiv/vJiC1ZD8 oIKLtDVTaG93TWF4IFNlY3VyaXR5IFJlcG9ydCA8c2VjdXJpdHktcmVwb3J0QHNo b3dtYXguY29tPokBNwQTAQgAIQUCWBx9IwIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgAAKCRBdAKhLmB5ZfcGNCACqURSx78pmcR+FuVOgv0fkbLVw+AEDt6YOj98W dAjSVhrlJJR8rJmubGFQC5LSNS8Z58ZbMnnTyEliBtRMRUvT3MivxoBU3GQOieeg I05g+8L7d+5wyvPQkeEVjtqTAFrzwRWwnLws0+iif/ZFg6XJ7BT7tOY751uw/CxZ a3wj88CnxGaD/JivvpYoQy0CWNVrnX/jPCyClELiA4U6UixiJEMZzwD3MAumkQfa Ik5ZKD8xMJsj4+JEvFmgzq76tFAcEOdK6ay4AC3W5Ar+YyRPIRYGVnZVbJ0jw5sr 5IHUPJmoV2F++FePgCsuJb7HiigHbojxpRF5mhYAwKTOsnOtuQENBFgcfOQBCADu pUKUIGrFwyGZGa+GOnM9Zlh3ilathnvA+nb2+b1wJ4XMcTRI583l6zFJJ/RUUTve l8/TMoG9UxP6+rFyGccUNTRMK6+lIWkBUOdRRkAZhyNrud0cTEuTUUx4jXdrxgB6 0OSeb1wHg5L0rafhjRPOX6dD+ZpDnKgd067VQHDZznRbd/AaZyRN2y1mPVbLi2L4 dpRGTQywffqGlTIoo6V1bPJuaRusYIm7MrVHZRCWX6LozwTJtA+6d5dMcMG74P+c 1yoiCNiKEJ9rxWC3/9onYnSAmQiKFzfZ+p/z7cuo42SkMUM4qUWlZZnn22GPgd75 9ONhQlOi8YHQeztx78v/ABEBAAGJAR8EGAEIAAkFAlgcfOQCGwwACgkQXQCoS5ge WX2OqQf9H8wZtlVvrfRFkNhjTn7EA7UpaHANMvXUspAgQXvRsGgjYU5OhndZe0Ky GN+eWdTwNbqYENJBfu8AChxVLNcYeWRWwJgUu76XdoDPmTF0WVgGUSxMLg2VY+Yk Q7w7qnmX/UGWn+k5N7mrYU0KEecfRtcgYrY/MkZvEf3bVaI49VH6gh4E9r30xaQZ +c2RgZ8z3nyhABakKLJ952ELNVND3iq/nIWpGIFZ7f4y9nLkLP1BUmNwGmhh9nq5 Tmm6d8zGzlDuYPXk/FqsKUWEM40ko6F5B3wONmshA7emF+rv1xGD6L7yQcQE79CC /8IjPllUzpaUdp/BQTSPPDv/67f1QA== =dJkG —–END PGP PUBLIC KEY BLOCK—– ```

Thank you for helping keep Showmax and our users safe!

Cover image by Negative Space. It features Prague Castle Guards.