MPL – Vulnerability Disclosure Program

security / By

We, at Mobile Premier League (MPL), are always committed to our user’s safe and secure playing experience. Our app goes through multiple levels of security checks internally before it is launched for the user.

We, at MPL, believe user’s security is the most important piece which we don’t compromise in any way or the other. We take the security of our users very seriously and strive to investigate and resolve all reported vulnerabilities and exploits. If you believe you have discovered a potential security vulnerability with the MPL Gaming Platform, we appreciate your help in disclosing the issue to us responsibly. We try to be as transparent as possible when it comes to our security efforts so you can stay informed and take action when needed.

MPL has always been a Security First Organisation. To ensure maximum security, we have the following security guidelines to safeguard our users:

  1. Do not share OTP with anyone. MPL does not in any way ask user’s for the OTP.
  2. MPL fairplay helps our user to play the game in a very organic fashion making sure no fraud is happening with them.
  3. If ever we find a user has been compromised in any way or the other, MPL will investigate the case thoroughly.
  4. As per MPL Fairplay policy, we tend to block fraudsters every time we see something fishy is happening.
  5. Never respond to any emails/calls claiming to provide Cash/Hacks. MPL takes no responsibility for the unforeseen consequences happening due to that.
  6. MPL will never ask for Sensitive information(like Credit Card Numbers, OTP, Bank Account details or any Personal Identifiable Information) via call/emails.
  7. Our customer support can only be reached via the app. Please do not engage with phone numbers that claim to be of our support team.

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

Eligibility:

  • Must be at least 18 years of age.
  • Should not have any blackhat background or criminal cases linked to him.
  • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to your participation in the Program
  • Must be the first person to report.
  • Detailed Proof of Concept is required in order to be eligible for a reward.

General Rules – Do/Don’ts

  • Vulnerability found should be in the scope of this policy.
  • Any POC submitted should have a proper step-by-step guide to reproduce the issue. Abuse of any
  • vulnerability found shall be liable for legal penalties.
  • Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
  • Automated tools/Scripts which produce heavy traffic are prohibited.
  • Do not attempt to gain access to any other person’s account, data or personal information.
  • Do use their real email address to report any vulnerability information to us.
  • Keep information about any vulnerabilities you have discovered confidential between yourself and MPL.The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose obtained from MPL.
  • Do not use scanners or automated tools to find vulnerabilities.
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Zero-day vulnerabilities or recently disclosed CVE will not be considered eligible until more than 90 days have passed since patch availability.

Scope:

  1. MPL Pro Application – Android & iOS
  2. MPL: Fantasy Cricket & Rummy (PlayStore)
  3. MPL Originals – Carrom Champs & Pool Champs.
  4. Poker Web – poker.mpl.live

Note: Please download MPL Pro Android App from our official website, MPL Fantasy Cricket & Rummy from the Android playstore and iOS App on Apple Store.

Rewards:

As a token of our gratitude for your assistance, we offer a reward for every report of an important security problem that was not yet known to us. The amount of the reward will be determined by us, based on the severity of the vulnerability and the quality of the report. Any rewards will be conditional on accepting our Responsible Disclosure Terms.

Out of Scope/Known Issues:

  1. HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  2. Fingerprinting / banner disclosure on common/public services.
  3. Disclosure of known public files or directories, (e.g. robots.txt).
  4. TapJacking/Clickjacking and issues only exploitable through TapJacking/Clickjacking.
  5. Social engineering of our service desk, employees or contractors
  6. Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    1. Strict-Transport-Security
    2. X-Frame-Options
    3. X-XSS-Protection
    4. X-Content-Type-Options
    5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    6. Content-Security-Policy-Report-Only
  7. SPF / DMARC / DKIM Mail and Domain findings.
  8. Email Rate Limiting or Spamming
  9. SSL Issues, e.g.
    1. SSL Attacks such as BEAST, BREACH, Renegotiation attack
    2. SSL Forward secrecy not enabled
    3. SSL weak/insecure cipher suites
  10. Non-application layer Denial of Service or DDoS
  11. Cookie Issues
    1. HTTPONLY
    2. SECURE
    3. multiple cookie setting
    4. Anything to do with JSESSIONID
  12. CSRF on forms that are available to anonymous users (e.g. login or contact form).
  13. Logout / Login Cross-Site Request Forgery (logout CSRF).
  14. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  15. Error messages with non-sensitive data.

Focus Area:
1. Steal, Cheat & Lie! Can you get cash without playing the games? Can you alter the game state to win? Can you post outrageous scores? Even something that just gives you an unfair advantage would be good to find.

2. Target other players on the platform. Personal Identifiable Information of other players could be a P2 or even P1 if there is enough of it. Can you take over accounts? Can you dump user data?

Hall of Fame
Our Hall of Fame page recognizes the contributions of reporters who have demonstrated a high level of dedication to our program.
Acceptance requires multiple valid reports and remains at the discretion of our team.

How will we respond?

If you report a security vulnerability relating to any of our scope specified above, we will treat your inquiry as follows.

  • We will confirm receipt of your report within two business days.
  • We will send you our response within five business days from the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. In some special circumstances, we reserve the right to extend this period by giving appropriate notice.
  • We will treat your privacy and keep your identity confidential unless you allow it and expect you to do the same.

How to Report

Submission Form

Terms & Conditions

Contact Us:

Feel free to write to us if you have any suggestions/queries.
Email : bugbounty@mplgaming.com