Bug bounty / Responsible Disclosure Program of TV3 Group

In its activities, TV3 Group, including TV Play Baltics, All Media Eesti, All Media Latvia, Star FM, All Media Lithuania, All Media Radijas, All Media Digital (hereinafter – TV3 or TV3 Group) handles huge amounts of data and systems that process these data. TV3 finds the security of these data to be of paramount importance, thus we constantly work to ensure the security of the data and the systems. Despite continuous efforts of TV3 to find and fix security vulnerabilities, we understand that we may overlook some of them, so we invite you to participate in the Responsible Disclosure Program of TV3 to help us fix data and system security risks. Having found any security vulnerabilities on TV3´s websites and/or systems, please report them to us in accordance with this Responsible Disclosure Program.

Participation in the Responsible Disclosure Program of TV3 is voluntary.

Provision of information on vulnerabilities found on TV3´s websites and systems shall be considered to be your confirmation that you have read and agree to the terms and conditions of the Program.

If you fail to comply with the terms and conditions of the Program, you may be withdrawn from the participation in it.

Principles of responsible disclosure

TV3 encourages a responsible disclosure of security vulnerabilities and therefore it shall not take any legal action against persons who disclose security vulnerabilities in accordance with the terms and conditions of the Responsible Disclosure Program, legislative requirements and the principles listed below:

during the vulnerability search process, the operation, functionality, services provided, and data availability or integrity of the communication and information system may not be altered or disrupted;
a search for security vulnerabilities shall be terminated having made sure that a vulnerability exists;
having conducted a search for security vulnerabilities, the person shall immediately inform TV3 of the security vulnerabilities found in accordance with the terms and conditions of the Responsible Disclosure Program;
the data of TV3 may not be monitored, recorded, acquired, stored, intercepted, copied, altered, disclosed, destroyed, removed and/or corrupted more than necessary for confirming the security vulnerability;
if Personal Data is encountered, the person should immediately halt his activity, delete related data from his system, and immediately contact TV3.
when searching for security vulnerabilities, no attempts may be made to guess passwords, to use passwords obtained by unauthorised means or to manipulate employees of the cybersecurity entity or other persons who have access to sensitive information important for vulnerability search;
information about the identified security vulnerability may not be disclosed to any third parties until it has been reported to TV3, and the security vulnerability has been corrected;
taking any action that would allow the person taking the action or any other third party to destroy, store, share or access the data of TV3 or its customers shall be prohibited;
when searching for security vulnerabilities, no action that may affect TV3´s customers, such as spamming, social engineering or disruption of the services provided, may be taken;
perform research only within the scope set out below;
use the identified communication channels to report vulnerability information to us.

If you do not comply with these principles, we may block your IP address and take other legal action.

Program participants

You cannot participate in the Responsible Disclosure Program if:

you are an employee of a TV3 Group company or its subsidiaries;
you are a close family member (children, spouse, parents, grandparents, siblings, grandchildren) of an employee of a TV3 Group company or its subsidiaries;
you are under 18 years of age;
external service providers, who work on TV3 sites and platforms, their previous partners or their close family members.

If TV3 determines that you do not meet the above requirements, you shall be withdrawn from TV3´s Responsible Disclosure Program and will not be eligible for a reward.

Area of application of the Program

All the below-listed domains and subdomains may be the subject of security vulnerability searches:

Go3.tv	Play.tv3.ee
Go3.lv	Play.tv3.lv
Go3.lt	Play.tv3.lt
Tv3.ee
Tv3.lv
Tv3.lt
www.home3.ee
mans.go3.lv
mano.go3.lt
minu.go3.tv
minu.home3.ee
mans.home3.lv
mano.home3.lt

TV3´s apps hosted on official app stores (e.g. self-service apps, Go3, etc.) may also be the subject of security vulnerability searches.

Examples of non-qualifying and qualifying vulnerabilities

TV3 shall accept all reports on identified vulnerabilities that violate the integrity and confidentiality of TV3´s systems, but not all reported vulnerabilities may earn a reward. The following vulnerabilities shall NOT be subject to reward:

findings from physical testing such as office access (e.g., open doors, tailgating);
exfiltration of any data under any circumstances;
intentional endangerment of the TV3´s personnel’s or any third parties’ privacy and/or safety;
intentional endangerment of the intellectual property or other commercial or financial interests of any TV3 personnel or TV3 group entities, or any third parties;
fraudulent financial transaction initiation;
social engineering attacks against employees and customers, e.g., phishing, other social engineering methods or non-technical attacks;
user password brute force attacks;
spamming (including SPF/DKIM/DMARC);
Denial of Service (DoS) attacks;
issues not related to security, such as HTTP response codes, application or server errors, etc.;
issues without a clear impact on security, such as logged-out CSRF, missing HTTP security headers, SSL issues, password policy issues, or clickjacking on pages with no sensitive actions;
issues affecting outdated applications or components, no longer in use or maintained;
issues related to third-party software, e.g., third-party applications or services which we use, except when they cause a vulnerability on TV3´s websites;
already known WordPress bugs which are waiting for fix from WordPress side;
issues involving server-side request forgery (SSRF) on services that perform active requests, except when this relates to the disclosure of sensitive information;
third-party security vulnerabilities on websites that integrate with TV3 API;
insecure cookie settings;
issues involving disclosure of publicly available or irrelevant information, such as disclosure of server information (“X-Powered-by” and “Server” response headers);
vulnerabilities requiring exceedingly unlikely user interaction;
reports and information that can be obtained through privileged access to target’s devices or that are beyond TV3 control. These include, inter alia, access to browser cookies and/or other tokens used to impersonate the user, access user’s email address, etc.;
clickjacking attacks that occur on pre-authenticated pages, or the absence of X-Frame-Options, or any other non-exploitable clickjacking issues;
results of scanning automatic tools for vulnerability assessment (i.e., Nessus, nmap).

A reward may be provided for the vulnerabilities listed below:

Cross Site Request Forgery (CSRF/XSRF);
Privilege escalation;
Authentication bypass;
SSRF to an internal service;
Cross-site scripting (XSS) (including stored/ persistent XSS);
Leakage or disclosure of sensitive information, including personal data of users/customers;
SQL injections;
Unverified redirects / “Man in the Middle” attacks;
Under-protected API;
Significant security misconfiguration with a confirmed vulnerability;
Remote code execution;
Other critical security vulnerabilities that may cause severe harm.

TV3 reserves the right to assess the impact and severity of a reported vulnerability, also checking whether the vulnerability has been reported before.

Reward and its amount

The amount of the reward depends on the extent of the detected security vulnerability. The more significant the vulnerability is, the higher is the reward paid for reporting it. Vulnerabilities that could lead to the disclosure of sensitive data and financial loss are considered significant vulnerabilities.

Rewards can only be paid for new security vulnerabilities that have not been reported to TV3 before. Reports on disclosed security vulnerabilities shall comply with the terms and conditions of the Program.

If two or more people report a vulnerability together at the same time, the reward shall be split between them.

The payment of a reward and its amount shall be set at the discretion of TV3. Payments shall be made in euro or by providing discount vouchers for TV3 services.

When determining the payment amount, TV3 shall consider the severity of the risk and the impact of the vulnerability.

NOTA BENE: we cannot reward sanctioned persons or nationals of countries that are on the sanctioned list. You shall be responsible for any taxes depending on your country and nationality. Local laws of your country may provide for additional restrictions that could prevent you from participating in the Program.

Ways to report security vulnerabilities

If you think you have found a security vulnerability, please report it to us at:

[email protected]

Please use PGP to ensure the confidentiality of the information sent to us:

Responsible Disclosure <[email protected]>

PGP key id: 0xC3ECBAD2CEB9021A

PGP fingerprint: 031B53FAFE66CFD309163469C3ECBAD2CEB9021A

PGP key

When providing information about a security vulnerability, please indicate the following:

a detailed description of the vulnerability, including its exploitability and impact;
each step required to reproduce the exploitability of the vulnerability;
affected URLs, applications (even if you also provided us with a code snippet or a video);
the IP addresses that were used in the search;
always indicate the user ID used in the POC;
always include all the files you have tried to upload;
provide a complete POC;
save all attack logs and attach them to the report.

Your report should be confirmed within 72 hours. Disclosed information will be verified, and you should be contacted within 5 business days. The time it takes to resolve a vulnerability depends on its complexity and severity.

Confidentiality

Any information you receive, collect or discover about TV3 Group, its employees and/or customers as a result of your participation in the Responsible Disclosure Program shall be kept confidential and used for the purposes of participating in the Responsible Disclosure Program. You may not disclose such confidential information without our prior written consent. Any disclosure of confidential information that does not comply with this requirement may result in your withdrawal from the Responsible Disclosure Program.

Ownership of the information provided

By participating in the Responsible Disclosure Program of TV3 Group, you shall provide TV3 Group companies and their subsidiaries with a sub-licensable, non-exclusive, free, irrevocable use licence unrestricted in time, territory or scope, to reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works, produce, use, sell, offer for sale, and import your provided information about the vulnerability, as well as any related material which you provided to TV3 Group, for any purpose.

When providing information on a vulnerability, you shall warrant and represent that your provided information is original and that you have full rights to share it and to provide TV3 Group companies with the above licence.

Amendments to the Responsible Disclosure Program of TV3 Group

Once we update the terms and conditions of the Responsible Disclosure Program of TV3 Group, we shall inform you of any material amendments by posting a notice on the websites tv3.ee, tv3.lv, tv3.lt, go3.tv, go3.lv, tv3.lt, home3.ee. Nevertheless, to be familiar with the current version of the Program, you should periodically review and familiarise yourself with the latest version of the Responsible Disclosure Program of TV3 Group published on the website on your own initiative.

Updated: 01.05.2023

Thank you for helping keep TV3 Group and our users safe!