LaLiga Group International, S.L. (hereinafter "LaLiga") is committed to information security of its products and services and, thus, it is top priority.

Likewise, LaLiga respects and appreciates cybersecurity researchers and ethical hackers who cooperate to notify security vulnerabilities responsibly so as to fix them diligently.

For these reasons, LaLiga supports people who discover and report security vulnerabilities through the current Vulnerability Disclosure Policy (hereinafter, the "Policy").

This document defines the scope, terms and conditions, and the procedure to report vulnerabilities for outsiders.

2. Scope

The Policy scope includes LaLiga web and mobile apps which link with it.

However, any software component, library, or software development kit (SDK) external to LaLiga is considered deliberately out of scope, despite the fact it is built in.

3. Terms and Conditions

According to the European Union Agency for Cybersecurity (ENISA), the Policy defines a vulnerability as a weakness or a design or implementation error that can lead to an event that compromises the security of a device, operating system, network, programme or a protocol involved in any of the above.

Considering the above, LaLiga commit to:

Investigate vulnerability reports diligently.
Make reasonable efforts to fix verified security failures.
Not recommend or pursue legal action related to vulnerability reports complying with the Policy.

Similarly, cybersecurity researchers or ethical hackers must comply with:

Act in good faith.
Comply with all applicable laws.
Notify LaLiga of security vulnerabilities as soon as possible.
Not gain personal advantage nor advantage for third parties of security vulnerabilities.
Not disclosure publicly nor share any security vulnerability with third parties without written explicit consent from LaLiga.
Not perform actions nor manifestations which would have a negative impact on LaLiga or its reputation.
Not access, compromise, modify nor harm data, systems, or services which is not your own.
Not disrupt nor degrade LaLiga apps, systems, or services.
Not use automated vulnerability scanners.
Not use social engineering, spam, phishing, brute force, malware, denial of service nor physical attacks.

4. Notification procedure

In case a cybersecurity researcher or ethical hacker discover a security vulnerability within the Policy scope, it could be notified LaLiga (in English or Spanish) at the email address cvd[@]laliga[.]es, providing the following information:

Affected app and version.
Type, high level summary and potential impact.
Technical details and evidence.
Reproducible steps and/or a working proof of concept (PoC).

In addition, security vulnerabilities could be reported to the reference security incident response center for citizens and private law entities in Spain (INCIBE-CERT), according to its vulnerability disclosure policy.