Marriott Bug Bounty Program
The Marriott Group, which includes Marriott International, Inc., Starwood Hotels & Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.
Except as modified by these terms of Marriott’s bounty program, the HackerOne Finder Terms and Conditions and Code of Conduct apply to your participation in Marriott’s bounty program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the bounty program at any time. Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.
A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;
Estimated severity and/or impact of the issue, if any;
Suggested mitigation or remediation actions, if appropriate; and
Report must not contain results from automated scanners
Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.
Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.
Security flaws with updates available for more than 60 will be paid at 100% total eligibility.
Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021
Marriott will begin rewarding eligible reports at 100% total beginning January 31, 2022
*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.
**Reflected XSS on .marriott.com because generally require user interaction[phishing] or specially crafted html files
UI Redressing via custom .html files
Other Marriott-owned devices - Assets located at any of our hotels, condos, apartments, or convention centers
Missing best practices in SSL/TLS configuration.
Clickjacking on pages with no sensitive actions.
Any activity that could lead to the disruption of our service (DoS).
CRLF that requires user interaction ie, clicking on a link from a phishing email
Attacks requiring MITM or physical access to a user's device.
Open Re-direct Issues without linking to other credential leakage or some other compromise.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Validation of credentials is prohibited.
We take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.
Marriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:
| Type of Response | Estimated SLA in business days |
|----------|--------------------|
| First Response | 2 days |
| Time to Triage | 5 days |
| Time to Bounty | 20 days |
| Time to Resolution | depends on severity and complexity |
Researchers will be kept informed about our progress throughout the process.
For the avoidance of doubt, the following activities are expressly prohibited:
• Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);
• Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;
• Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;
• Mass creation of accounts to perform testing against Marriott applications and services;
• Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and
• Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.
Marriott reserves all rights and potential claims with respect to any such prohibited activities.
Unless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).
While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.
If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.
The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.
Thank you for helping to protect Marriott’s systems and customers.
| Scope Type | Scope Name |
|---|---|
| android_application | com.marriott |
| ios_application | 455004730 |
| other | Other Marriott-owned asset |
| web_application | eleganthotels.com |
| web_application | www.ritzcarlton.com |
| web_application | apps.ritzcarlton.com |
| web_application | homes-and-villas.marriott.com |
| web_application | airandcar.marriott.com |
| web_application | activities.marriott.com |
| web_application | towneplacesuites.marriott.com |
| web_application | springhillsuites.marriott.com |
| web_application | careers.marriott.com |
| web_application | sso.marriott.com |
| web_application | mgs.marriott.com |
| web_application | jobs.marriott.com |
| web_application | passwordchallenge.marriott.com |
| web_application | gateway*.marriott.com |
| web_application | dcfgateway*.marriott.com |
| web_application | marriottfranchisetransactions.marriott.com |
| web_application | lawmanager.marriott.com |
| web_application | www.travelagents.marriott.com |
| web_application | hotel-deals.marriott.com |
| web_application | marriott.co.* |
| web_application | all-inclusive.marriott.com |
| web_application | reservations.all-inclusive.marriott.com/ |
| web_application | marrtool.com |
| web_application | cpp.marriott.com |
| web_application | www.marriott.com |
| Scope Type | Scope Name |
|---|---|
| web_application | vacations.marriott.com |
| web_application | moxymix.marriott.com |
Firebounty have crawled on 2020-02-04 the program Marriott Bug Bounty Program on the platform Hackerone.
FireBounty © 2015-2024
