Banner object (1)

5089 policies in database
  Back Link to program      
Marriott Vulnerability Disclosure Program logo
Hall of Fame

Marriott Vulnerability Disclosure Program


The Marriott Group, which includes Marriott International, Inc., Starwood Hotels & Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.

Except as modified by these terms of Marriott’s vulnerability response program, the HackerOne disclosure guidelines apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.

We are currently only accepting High and Critical severity bug reports


Unless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).

Disclaimers/Prohibited Activities

For the avoidance of doubt, the following activities are expressly prohibited:

  • Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);
  • Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;
  • Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;
  • Mass creation of accounts to perform testing against Marriott applications and services;
  • Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and
  • Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. Scripts/scanners must not exceed 100 requests per second.
  • Extortion of any kind by asking for money or threatening disclosure of information.

Marriott reserves all rights and potential claims with respect to any such prohibited activities.

Submission Requirements

  1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;
  2. Step-by-step instructions necessary to reproduce the issue or vulnerability;
  3. Estimated severity and/or impact of the issue, if any;
  4. Suggested mitigation or remediation actions, if appropriate; and
  5. Any relevant attachments
  6. Report must not contain results from automated scanners

Out of Scope

  • Any Low or Medium vulnerability.
  • UI Redressing
  • Missing best practices in SSL/TLS configuration.
  • Clickjacking on pages with no sensitive actions.
  • Any activity that could lead to the disruption of our service (DoS).
  • XSS and CRLF that requires user interaction.
  • Attacks requiring MITM or physical access to a user's device.
  • Open Re-direct Issues without linking to other credential leakage or some other compromise.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

General Rules

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).
  • Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.

What You Can Expect From Us

We take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.

Marriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:

• Time to first response (from report submit date) = 5 business days
• Time to triage (from report submit date) = 10 business days
• Resolution = Depends on complexity and severity

Researchers will be kept informed about our progress throughout the process.

Thank you for helping to protect Marriott’s systems and customers.

In Scope

Scope Type Scope Name











Firebounty have crawled on 2020-02-04 the program Marriott Vulnerability Disclosure Program on the platform Hackerone.

FireBounty © 2015-2020

Legal notices