Whilst we don't have a formal bug-bounty programme with a 3rd party company our site is regularly tested and analysed by both an in-house team and external trusted partners.
If you believe there is a security weakness in Fanatical.com that's been missed then we welcome you to contact us via support@fanatical.com and discuss your discoveries.
Will will need to know as much detail as possible about your finding, steps to reproduce the issue, or code examples which can be used to replicate your discovery.
Reporting bugs scraped from 3rd party bug bounty sites
Sometimes low risk bug reports are scraped from 3rd party bug bounty sites and submitted to us. These reports are often rejected as they have been previously discussed by our team and mitigating measures have been put in place around the discovery.
New un-reported bug reports
If a previously un-reported bug is submitted to us then our team of analysts will discuss the report and score the report according to the globally recognised system, CVSS.
Upon approval and acceptance the issue will be logged into our bug-tracking system and we will make pay-outs to you via Paypal or bank transfer as summarised in the table below:
CVSS Score | Bounty amount |
Low (0.1-3.9) | $25-$100 |
Medium (4.0-6.9) | $250 |
High (7.0-8.9) | $500 |
Critical (9-10) | $1000 |
We want Fanatical.com to be as secure as possible so thank you for taking the time to get in touch.