Flutter UK&I Bug Bounty Program

Program Overview

Flutter UK&I runs a bug bounty program on HackerOne. The program has 42 in-scope assets and is managed by HackerOne's triage team.

In-Scope Assets

Asset	Type	Max Severity	Eligible
*.betfair.com	WILDCARD	Critical	Bounty
*.betfair.es	WILDCARD	Critical	Bounty
*.betfair.it	WILDCARD	Critical	Bounty
*.betfair.ro	WILDCARD	Critical	Bounty
*.betfair.se	WILDCARD	Critical	Bounty
*.betsharedservices.io	WILDCARD	Critical	Bounty
*.betviewapi.com	WILDCARD	Critical	Bounty
*.dibz.co.uk	WILDCARD	Critical	Bounty
*.msgsvc.io	WILDCARD	Critical	Bounty
*.operationstechnology.io	WILDCARD	Critical	Bounty
*.paddypartners.com	WILDCARD	Critical	Bounty
*.paddypower.com	WILDCARD	Critical	Bounty
*.paddypower.it	WILDCARD	Critical	Bounty
*.platformservices.io	WILDCARD	Critical	Bounty
*.ppbdev.com	WILDCARD	Medium	Bounty
*.sbgcdn.com	WILDCARD	Critical	Bounty
*.sbgcore.com	WILDCARD	Critical	Bounty
*.sbgorigin.com	WILDCARD	Critical	Bounty
*.sbgservices.com	WILDCARD	Critical	Bounty
*.sbgtest.net	WILDCARD	Critical	Bounty
*.securityservices.io	WILDCARD	Critical	Bounty
*.skybet.co.uk	WILDCARD	Critical	Bounty
*.skybet.com	WILDCARD	Critical	Bounty
*.skybet.net	WILDCARD	Critical	Bounty
*.skybetservices.com	WILDCARD	Critical	Bounty
*.skybettest.net	WILDCARD	Critical	Bounty
*.skybettingandgaming.com	WILDCARD	Critical	Bounty
*.skybettingandgaming.design	WILDCARD	Critical	Bounty
*.skybettingandgaming.info	WILDCARD	Critical	Bounty
*.skybingo.com	WILDCARD	Critical	Bounty
*.skycasino.com	WILDCARD	Critical	Bounty
*.skygamingcontent.com	WILDCARD	Critical	Bounty
*.skypoker.com	WILDCARD	Critical	Bounty
*.skyvegas.com	WILDCARD	Critical	Bounty
*.sportinglife.com	WILDCARD	Critical	Bounty
https://play.google.com/store/apps/dev?id=5503565801970655430&gl=gb	GOOGLE_PLAY_APP_ID	Critical	Bounty
https://play.google.com/store/apps/dev?id=8912907283039023448&gl=GB	GOOGLE_PLAY_APP_ID	Critical	Bounty
https://play.google.com/store/apps/dev?id=9151483005769461618&gl=GB	GOOGLE_PLAY_APP_ID	Critical	Bounty
https://play.google.com/store/apps/developer?id=Sky+Betting+and+Gaming+Apps&gl=uk	GOOGLE_PLAY_APP_ID	Critical	Bounty
itv7.itv.com	URL	Critical	Bounty
rafflee.co.uk	URL	Critical	Bounty
super6.skysports.com	URL	Critical	Bounty

Out-of-Scope Assets

• *.betfair.com.au
• *.email.skybet.com
• *.s6.sbgservices.com
• *.sbagmail.skybettingandgaming.com
• *.sbg.life
• *.sbga.me
• *.sbgcolab.com
• *.sbgdataintl.com
• *.sbggraduates.com
• *.sbgmail.skybettingandgaming.com
• *.sbgpeople.com
• *.sbpartner.it
• *.skybet-it.info
• *.skybet.de
• *.skybet.it
• *.skybetcareers.com
• *.skybetchiusuraconto.it
• *.skybetgraduates.com
• *.skybetpartner.de
• *.skybettingandgamingresearch.com

Tips for Hacking Flutter UK&I

1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Flutter UK&I?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Flutter UK&I pay bounties?

Yes, Flutter UK&I offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does Flutter UK&I accept?

Flutter UK&I accepts reports for vulnerabilities found in their 42 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.