45466 policies in database
Link to program      
2020-02-04
2020-04-17
Marriott Bug Bounty Program logo
Thank
Gift
HOF
Reward

Reward

Marriott Bug Bounty Program

Welcome to the Marriott Bug Bounty program.

The Marriott Group, which includes Marriott International, Inc., Starwood Hotels & Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.

Except as modified by these terms of Marriott’s bounty program, the HackerOne Finder Terms and Conditions and Code of Conduct apply to your participation in Marriott’s bounty program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the bounty program at any time. Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.

Submission Requirements

  1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;

  2. Estimated severity and/or impact of the issue, if any;

  3. Suggested mitigation or remediation actions, if appropriate; and

  4. Report must not contain results from automated scanners

Marriott CVE Policy

  • Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.

  • Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.

  • Security flaws with updates available for more than 60 will be paid at 100% total eligibility.

CVE-2021-44228 and related Log4j vulnerabilities

  • Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021

  • Marriott will begin rewarding eligible reports at 100% total beginning January 31, 2022

Out of Scope - These will be marked informative

  • Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs, Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites.

*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.

**Reflected XSS on .marriott.com because generally require user interaction[phishing] or specially crafted html files

  • UI Redressing via custom .html files

  • Other Marriott-owned devices - Assets located at any of our hotels, condos, apartments, or convention centers

  • Missing best practices in SSL/TLS configuration.

  • Clickjacking on pages with no sensitive actions.

  • Any activity that could lead to the disruption of our service (DoS).

  • CRLF that requires user interaction ie, clicking on a link from a phishing email

  • Attacks requiring MITM or physical access to a user's device.

  • Open Re-direct Issues without linking to other credential leakage or some other compromise.

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Program Rules

*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • Validation of credentials is prohibited.

What You Can Expect From Us

We take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.

Marriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:

| Type of Response | Estimated SLA in business days |

|----------|--------------------|

| First Response | 2 days |

| Time to Triage | 5 days |

| Time to Bounty | 20 days |

| Time to Resolution | depends on severity and complexity |

Researchers will be kept informed about our progress throughout the process.

Disclaimers/Prohibited Activities

For the avoidance of doubt, the following activities are expressly prohibited:

• Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);

• Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;

• Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;

• Mass creation of accounts to perform testing against Marriott applications and services;

• Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and

• Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.

Marriott reserves all rights and potential claims with respect to any such prohibited activities.

Confidentiality

Unless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).

Disclosure Policy

  • While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.

  • If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.

  • The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.

Thank you for helping to protect Marriott’s systems and customers.

In Scope

Scope Type Scope Name
android_application

com.marriott

ios_application

455004730

other

Other Marriott-owned asset

web_application

eleganthotels.com

web_application

www.ritzcarlton.com

web_application

apps.ritzcarlton.com

web_application

homes-and-villas.marriott.com

web_application

airandcar.marriott.com

web_application

activities.marriott.com

web_application

towneplacesuites.marriott.com

web_application

springhillsuites.marriott.com

web_application

careers.marriott.com

web_application

sso.marriott.com

web_application

mgs.marriott.com

web_application

jobs.marriott.com

web_application

passwordchallenge.marriott.com

web_application

gateway*.marriott.com

web_application

dcfgateway*.marriott.com

web_application

marriottfranchisetransactions.marriott.com

web_application

lawmanager.marriott.com

web_application

www.travelagents.marriott.com

web_application

hotel-deals.marriott.com

web_application

marriott.co.*

web_application

all-inclusive.marriott.com

web_application

reservations.all-inclusive.marriott.com/

web_application

marrtool.com

web_application

cpp.marriott.com

web_application

www.marriott.com

Out of Scope

Scope Type Scope Name
web_application

vacations.marriott.com

web_application

moxymix.marriott.com


Firebounty have crawled on 2020-02-04 the program Marriott Bug Bounty Program on the platform Hackerone.

FireBounty © 2015-2024

Legal notices | Privacy policy