Skip to main content

Vulnerability Disclosure Program | NFL.com

nfl-shield

Vulnerability Disclosure Program

How to report a security issue to us

Responsible Disclosure

We value the security and privacy of our customers and users, and we are committed to fixing any vulnerabilities that may affect our products and services. We welcome reports from security researchers who help us improve our security posture. If a security vulnerability is found on one of our running services or sites, we encourage it being submitted to us in a responsible manner. The National Football League reserves all legal rights in case of non-compliant submissions.

How to report

If you have discovered a security issue in one of our sites, services, or products, please do not disclose it publicly or exploit it for malicious purposes. Instead, please report it to us as soon as possible by heading to our Vulnerability disclosure program hosted here: NFL VDP Program

If you do not have an account on the platform, we encourage you to sign up, to make your submission. If you are unable to do so you can email issues to vulnerabilitydisclosure@nfl.com.

Scope

Discover the scope of our vulnerability disclosure program by heading to the program page here: NFL VDP Program

Disclaimer

  • Researchers must avoid intentionally accessing the content of any communications, data, or information transiting or stored on any NFL information system – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
  • Researchers must not intentionally exfiltrate or copy NFL data, or open, take, or delete files. Should researchers obtain NFL data during their research, they must coordinate with NFL VDP contact to ensure that data is appropriately destroyed upon confirmation that the vulnerability is remediated.
  • Researchers may not conduct denial-of-service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
  • Researchers may not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, until that vulnerability is remediated, and they receive explicit written authorization from NFL.