Banner object (1)

Hack and Take the Cash !

822 bounties in database
  Back Link to program      
Marriott Vulnerability Disclosure Program logo
Hall of Fame

Marriott Vulnerability Disclosure Program


The Marriott Group, which includes Marriott International, Inc., Starwood Hotels & Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.

Except as modified by these terms of Marriott’s vulnerability response program, the HackerOne disclosure guidelines __apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.


Unless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).

Disclaimers/Prohibited Activities

For the avoidance of doubt, the following activities are expressly prohibited:

  • Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);
  • Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;
  • Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;
  • Mass creation of accounts to perform testing against Marriott applications and services;
  • Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and
  • Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. Scripts/scanners must not exceed 100 requests per second.
  • Extortion of any kind by asking for money or threatening disclosure of information.

Marriott reserves all rights and potential claims with respect to any such prohibited activities.

Submission Requirements

  1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;
  2. Step-by-step instructions necessary to reproduce the issue or vulnerability;
  3. Estimated severity and/or impact of the issue, if any;
  4. Suggested mitigation or remediation actions, if appropriate; and
  5. Any relevant attachments
  6. Report must not contain results from automated scanners

Out of Scope

  • Missing best practices in SSL/TLS configuration.
  • Clickjacking on pages with no sensitive actions.
  • Any activity that could lead to the disruption of our service (DoS).
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Reflected and DOM XSS (We are aware of these site-wide issues and are working to remedy them as soon as possible. These will be moved back into scope at a later time).
  • Reflected and DOM Based CSRF(We are aware of these site-wide issues and are working to remedy them as soon as possible. These will be moved back into scope at a later time).

In-Scope XSS & Improper Certificate Validation

  • XSS vulnerabilities that are combined with privilege escalation, credential stealing, session stealing, or file upload.
  • Improper wildcard certificates (ex: * with proof-of-concept.

General Rules

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.

What You Can Expect From Us

We take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.

Marriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:

• Time to first response (from report submit date) = 5 business days
• Time to triage (from report submit date) = 10 business days
• Resolution = Depends on complexity and severity

Researchers will be kept informed about our progress throughout the process.

Thank you for helping to protect Marriott’s systems and customers.

In Scope

Scope Type Scope Name









Firebounty have crawled on 2020-02-04 the programe Marriott Vulnerability Disclosure Program on the platform Hackerone.

FireBounty © 2015-2020

Legal notices