Security & Disclosure

At ESL FACEIT Group we fully support responsible disclosure of security vulnerabilities.

If you discover a security vulnerability in any of our online products, brands, services or IT systems please disclose it to us and give us time to respond and solve the issue.

We may reward legitimate vulnerabilities with bounties scaled based on impact & difficulty.

Scope

Third party vendors

If the vulnerability is with the services of a third party vendor that we use, please contact them first and only contact us if they did not address the vulnerability AND you believe we are at particular risk

Corporate IT systems or other

If the vulnerability relates to access to our corporate IT systems or you are in doubt please send your report to security@efg.gg

Our products & services

If the vulnerability relates to a product or service that we build & operate ourselves (such as faceit.com) please send your report to this form or by emailing disclosure@efg.gg

That includes the following products, brands, services below that are using but not limited to the domains & subdomains of:

  • ESL FACEIT Group: eslfaceit.com, efg.gg, eslfaceitgroup.com
  • Badlion: badlion.net
  • CSGOStats: csgostats.gg
  • DreamHack: dreamhack.com
  • DreamHack Sports Games: dreamhacksportsgames.com
  • ESEA: esea.net, esportsea.com
  • ESL / ESL Gaming: esl.com, eslgaming.com, intelextrememasters.com, esl-one.com
  • FACEIT: faceit.com
  • Vindex: products & services owned or operated by Vindex are excluded from this policy. That includes but is not limited to: vindex.gg, letsplay.io, esportsengine.gg. Please contact Vindex via hello@vindex.gg
 

Other relevant brands can be found at https://brand.eslfaceitgroup.com/ 

How to responsibly disclose to us

Please include the following information in your report:

  • Your contact details (i.e. name, email address);
  • The type of vulnerability identified;
  • The service/device/application impacted by the vulnerability;
  • A detailed description of the problem encountered;
    the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery;
  • A compressed archive (zip) with any files that can help in reproducing the flaw (e.g. screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.).

 

The size of the email communication should not exceed 10MB. Please contact us in advance via the email address above should you need to send an attachment that is larger than this size.

Your personal data will be processed to communicate with you regarding the vulnerability you have disclosed to us. For further details on the processing of your personal data, please refer to our privacy notice available here.

Please act responsibly in dealing with your discovery of the identified security vulnerability. Do not take any actions that go beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your own advantage and avoid storing any confidential data obtained as a result of the issue.

Examples of possible vulnerabilities:

  • Injection and deserialization vulnerabilities (SQL/NoSQL/LDAP injection, command injection, object deserialization)
  • Broken authentication and broken access control vulnerabilities (incorrect implementation of authentication, session management, access control)
  • Sensitive data exposure (vulnerabilities that can lead to data leakage)
  • Cross-site scripting
  • Cross-site request forgeries
  • XML external entities
  • Server-side request forgeries
  • Redirect vulnerabilities
  • Underprotected API
  • Known and zero-day vulnerabilities under the spotlight

Examples of vulnerabilities we will not consider:

We continuously monitor our internet-exposed assets to identify security issues and misconfigurations, and we therefore kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:

  • Historical or out of date content e.g. old links in content, assets no longer relevant
  • Weak configurations of the TLS protocol;
  • Reports of non-compliance with best practices (e.g. for SPF/DKIM/DMARC configuration, content security policy, TLS misconfigurations);
  • Password length or complexity
  • Clickjacking on pages without sensitive actions or data
  • Unauthenticated CSRF; logout CSRF
  • Attacks that require a chain of unlikely user interaction
  • Attacks that do not affect up-to-date versions of modern web browsers (Chrome, Firefox, Safari, etc)
  • Brute force or rate limiting of non-sensitive actions
  • Previously known vulnerable libraries without a working Proof of Concept
  • Disclosure of information that does not pose a significant risk (UX suggestions, email notifications, etc)
  • Content spoofing and text injection issues without showing an attack vectors
  • Output of well-known automated tools/solutions.

Timeline

After you report a security vulnerability to us we would aim to respond in the following time frames, though depending on the circumstances may extend them as necessary:

  • Within five business days we should confirm we have received your report
  • Within a further five business days we should confirm whether or not we could reproduce the issue, our judgement of the severity and an estimate of when we will solve the issue

 

Please keep all information relating to the discovered vulnerability secret from all third parties for a period of at least six months, allowing us to identify and implement the measures needed to address the issue you have reported.

Through the process your report will be treated confidentially and not shared with third parties without your consent or when obliged to do so by law.

Security & Disclosure

At ESL FACEIT Group we fully support responsible disclosure of security vulnerabilities.

If you discover a security vulnerability in any of our online products, brands, services or IT systems please disclose it to us and give us time to respond and solve the issue.

We may reward legitimate vulnerabilities with bounties scaled based on impact & difficulty.

Scope

If the vulnerability is with the services of a third party vendor that we use, please contact them first and only contact us if they did not address the vulnerability AND you believe we are at particular risk.

If the vulnerability relates to access to our corporate IT systems or you are in doubt please send your report to security@efg.gg

If the vulnerability relates to a product or service that we build & operate ourselves (such as faceit.com) please send your report tech-security@efg.gg

That includes the following products, brands, services below that are using but not limited to the domains & subdomains of:

  • ESL FACEIT Group: eslfaceit.com, efg.gg, eslfaceitgroup.com
  • Badlion: badlion.net
  • CSGOStats: csgostats.gg
  • DreamHack: dreamhack.com
  • DreamHack Sports Games: dreamhacksportsgames.com
  • ESEA: esea.net, esportsea.com
  • ESL / ESL Gaming: esl.com, eslgaming.com, intelextrememasters.com, esl-one.com
  • FACEIT: faceit.com


Other relevant brands can be found at https://brand.eslfaceitgroup.com/

How to responsibly disclose to us

  • Your contact details (i.e. name, email address);
  • The type of vulnerability identified;
  • The service/device/application impacted by the vulnerability;
  • A detailed description of the problem encountered;
    the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery;
  • A compressed archive (zip) with any files that can help in reproducing the flaw (e.g. screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.).

The size of the email communication should not exceed 10MB. Please contact us in advance via the email address above should you need to send an attachment that is larger than this size.

Your personal data will be processed to communicate with you regarding the vulnerability you have disclosed to us. For further details on the processing of your personal data, please refer to our privacy notice available here.

Please act responsibly in dealing with your discovery of the identified security vulnerability. Do not take any actions that go beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your own advantage and avoid storing any confidential data obtained as a result of the issue.


  • Injection and deserialization vulnerabilities (SQL/NoSQL/LDAP injection, command injection, object deserialization)
  • Broken authentication and broken access control vulnerabilities (incorrect implementation of authentication, session management, access control)
  • Sensitive data exposure (vulnerabilities that can lead to data leakage)
  • Cross-site scripting
  • Cross-site request forgeries
  • XML external entities
  • Server-side request forgeries
  • Redirect vulnerabilities
  • Underprotected API
  • Known and zero-day vulnerabilities under the spotlight

We continuously monitor our internet-exposed assets to identify security issues and misconfigurations, and we therefore kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:

  • Weak configurations of the TLS protocol;
  • Reports of non-compliance with best practices (e.g. for SPF/DKIM/DMARC configuration, content security policy, TLS misconfigurations);
  • Output of well-known automated tools/solutions.

Timeline

After you report a security vulnerability to us we would aim to respond in the following time frames, though depending on the circumstances may extend them as necessary:

  • Within five business days we should confirm we have received your report
  • Within a further five business days we should confirm whether or not we could reproduce the issue, our judgement of the severity and an estimate of when we will solve the issue

Please keep all information relating to the discovered vulnerability secret from all third parties for a period of at least six months, allowing us to identify and implement the measures needed to address the issue you have reported.

Through the process your report will be treated confidentially and not shared with third parties without your consent or when obliged to do so by law.

Contact us

EFG owns a portfolio of brands in different categories. We are leading the industry with numerous online and offline competitions, digital platforms as well as gaming lifestyle festivals.