Help us keep 160M+ fans safe.

Program Introduction

Summary

FanCode - Our platform operates across web and mobile applications and utilises a combination of REST and GraphQL APIs to enable seamless user journeys. Researchers are encouraged to evaluate query-level authorisation, data exposure through GraphQL resolvers, and consistency of access controls between web, mobile, and API layers.

If you discover a security vulnerability in any FanCode digital property, service, application, API, or associated system, you are encouraged to report it to us responsibly so we can fix it quickly and protect our users. By submitting a responsible disclosure to FanCode, you agree to follow the terms below.

Scope

Testing is authorised only for the assets explicitly listed in the scope of this program. Any domain, application, or property belonging to FanCode that is not explicitly listed as an in-scope target must be considered out of scope. This includes all subdomains, services, and endpoints that are not explicitly listed, along with staging, UAT, test, pre-production, or non-production environments.

The following are considered in scope for this Responsible Disclosure Policy:

• FanCode websites and web applications

• FanCode mobile applications (iOS and Android)

• FanCode APIs and backend services

• FanCode-owned digital assets and subdomains

What to Report

Our focus is identifying security issues affecting user data and access controls across FanCode. Please report only actual security vulnerabilities that could compromise the confidentiality, integrity, or availability of FanCode systems or user data. Examples include, but are not limited to:

• Authentication or authorization bypass

• SQL injection or remote code execution

• Privilege escalation

• Sensitive user data exposure and unauthorised access

• Server-side vulnerabilities

• Exposure or manipulation of financial data of users.

What Not to Do

For your safety and ours, please adhere to the following:

• Do not exploit vulnerabilities beyond collecting proof required to demonstrate the issue.

• Do not access, modify, or exfiltrate user data that does not belong to you.

• Do not publicly disclose any details of a security issue before FanCode has had a reasonable opportunity to address it.

• Do not perform denial-of-service (DoS) attacks or other destructive testing.

Responsible security testing should be non-disruptive and conducted only on systems which are in the scope of this program.

The following assets, environments, and activities must not be tested:

• Cloud infrastructure or hosting platforms not directly operated by FanCode

• Third-party services or components without direct, exploitable impact on FanCode

• All non-production environments, including staging, UAT, test, and pre-production

• Abusive testing behavior (e.g., excessive session creation or repeated login/logout actions)

The following finding types and submissions are specifically excluded:

• DoS/DDoS attacks of any kind

• Video playback, streaming quality, DRM issues

• Issues in standalone or third-party apps linked to FanCode, unless explicitly in scope

• Low-impact or informational issues (P5), including self-XSS and open redirects without impact

How to Report a Vulnerability

Please share any finding details here: 

Submit a security finding

Your report should include:

• A clear description of the vulnerability with attack scenario/exploitability

• Security impact of the bug

• Steps to reproduce the issue

• Proof-of-concept (PoC), screenshots, or videos if applicable

• Affected platform version(s)

• Your contact information (optional if you wish to remain anonymous)

We strive to acknowledge all valid reports within a reasonable timeframe.

Recognition

FanCode does not run a bug bounty program and therefore does not offer monetary rewards, prizes, or other incentivised compensation.

However, we acknowledge your contribution subject to your consent and our internal evaluation of the report's validity and impact. This recognition is entirely at FanCode's sole discretion and may be withheld for reports we deem out of scope, low impact, or otherwise ineligible.

Confidentiality & Follow-Up

Please keep all reported information confidential until the issue is resolved and published by FanCode. We may request additional information or clarification to help us validate and remediate the issue you reported.

Legal Safe Harbour

While we appreciate your participation, it is essential to respect and comply with all applicable laws and regulations. FanCode will make reasonable efforts not to pursue legal action against individuals who:

• Discover security vulnerabilities in good faith

• Report them responsibly under this policy

• Comply with applicable laws and the terms of this disclosure policy

Testing outside of the scope or with malicious intent may subject you to legal action.

Changes to This Policy

FanCode reserves the right to modify this Responsible Disclosure Policy at any time. Changes will be effective immediately upon posting.

Submit a security finding