PrizePicks™ Vulnerability Disclosure

‍

Last Updated: August 1, 2025

‍

We welcome researchers and players who identify new, clever, and impactful security issues to PrizePicks' private bug bounty program on HackerOne.

‍

To report a security issue, send an email to [email protected] for an automatic invite to the program.

‍

Responsibly disclosing and demonstrating the impact of the following issue types may be rewarded with a bounty:

‍

• Traditional web/mobile application bugs (e.g., XSS and SQL injection)
• Certain game bypasses (e.g., business logic abuse)
• Other security misconfigurations or issues (e.g., infrastructure and corporate security)

‍

Scope

‍

Any PrizePicks services available from the internet and any software developed by SidePrize LLC (a/k/a Performance Predictions LLC) d/b/a PrizePicks.

‍

If an issue is found with a 3rd party application or service, we are still interested in learning more about what you found. The payment of a bounty is contingent on the severity and nature of the issue, and is not applicable in all instances.

‍

A more detailed scope, exclusions, and other rules is available on the HackerOne program page.