FireBounty
52235 policies in database
Link to program      
2021-03-29
Hilton logo
Thank
Gift
HOF
Reward

Hilton

Introduction

At Hilton, our mission is to provide the light and warmth of hospitality to the world, by delivering an exceptional, safe, and reliable customer experience. In pursuit of this mission, we are partnering with HackerOne and the security community to launch the Hilton Vulnerability Disclosure Program (VDP), and we want you to participate!

Response Targets

Hilton will make a best effort to respond within five business days to reports received through the VDP. You must give Hilton reasonable time to investigate the reported vulnerability and must respond to follow-up questions.

In Scope

The main Hilton website (hilton.com and www.hilton.com) is included within the scope of the VDP. Finders may create a Hilton Honors account (https://www.hilton.com/en/hilton-honors/join/) for the purpose of assessing authentication functionality. The Hilton Honors program is a free sign up that only requires basic information. Please prepend the string “Test-Hackerone” to the First and Last name fields for all HHonors accounts created for the purposes of security testing.

In addition, the following Fully Qualified Domain Names (FQDNs) are in scope for the VDP:

  • *.hilton.com (all hilton.com subdomains)

  • hilton.io

  • *.hilton.io (all hilton.io subdomains)

The following IP ranges are also in scope for the VDP:

  • 167.187.0.0/16

  • 192.251.123.0/24

  • 192.251.124.0/24

  • 192.251.125.0/24

  • 192.251.126.0/24

  • 82.196.42.196/28

  • 203.79.37.2/29

  • 62.216.152.46/29

  • 121.200.237.36/29

Out of Scope

Booking of reservations is considered an out-of-scope activity. In addition, the following vulnerabilities are considered out of scope:

  • Clickjacking on pages with no sensitive actions.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Missing development best practices.

  • Missing best practices in SSL/TLS configuration.

  • Conflict with industry policies and standards.

  • Any activity that could lead to the disruption of a Hilton service (for example, DoS attacks).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

  • Rate-limiting issues on endpoints that do not disclose PII or other relevant information.

  • Reports originating only from automated tools or scanners (e.g., Burp, nmap, etc.).

Testing Requirements

Please ensure that the string “HackerOne” is appended to your user agent for all HTTP/HTTPS traffic before performing any testing. Example instructions on how to modify the user agent string for Chrome can be found here and for Burp Suite can be found here.

Submission Requirements

  • When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug.

  • Vulnerability reports must be submitted to HackerOne and must meet HackerOne’s requirements (https://docs.hackerone.com/programs/submit-report-form.html)

  • Suggest mitigation or remediation actions, if appropriate.

Disclosure Policy

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hilton. Do not disclose the issue publicly.

  • Hilton may require that you sign a confidentiality agreement related to the vulnerability.

  • Please review HackerOne's policy for additional guidelines. (https://www.hackerone.com/disclosure-guidelines).

Program Rules and Prohibited Activities:

  • Do not collect, disclose, destroy, compromise, alter, interfere with, or transfer any proprietary or confidential Hilton data or property or data or property belonging to Hilton’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party directly or indirectly affiliated with Hilton. Action such as storing Hilton data in public internet service such as PasteBin are strictly prohibited. You must notify Hilton immediately if you access, modify, delete, or store Hilton data or that of the third parties listed above.

  • Do not perform any actions that could affect Hilton's operations or the guest experience, such as Denial of Service (DoS) attacks or destruction of data.

  • You must not interact with Hilton's customers without their express written consent, which must be provided to Hilton upon request.

  • All vulnerabilities submitted via the Hilton VDP immediately and irrevocably become the intellectual property of Hilton. By submitting a report pursuant to the Hilton VDP, you grant Hilton permission to make use of the information contained therein.

  • Do not disclose any vulnerabilities related to Hilton to parties other than Hilton or HackerOne without express authorization from Hilton.

  • Vulnerabilities will only be considered for triage if they are unknown to Hilton at the time of disclosure.

  • Vulnerabilities must be submitted to Hilton through the VDP.

  • Automated web scans of Hilton websites should be limited to a maximum of 100 requests/minute for each website.

  • Vulnerability reports must provide enough technical detail for the Hilton security team to reproduce the issue.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Only interact with accounts you own or with the explicit permission of the account holder.

  • All questions about the VDP program must be submitted to hilton-program @hackerone.com.

  • You must comply with all applicable laws.

  • This program is not applicable in any jurisdiction where such conduct is not permissible.

  • You may not participate in the program if you are a public sector employee unless you have obtained written permission from your ethics compliance officer.

  • You may not participate in the program if you are a current Hilton employee or were an employee of Hilton within the last six months.

  • Hilton may change the rules of the VDP at any time.

Safe Harbor

Any activities conducted in good faith and in a manner consistent with this policy will be considered authorized conduct and Hilton will not initiate legal action against the individual conducting those activities.

Hilton does not authorize any security research on other entities, and will not defend, indemnify, or protect you from any third party action.

Hilton will not deem your actions to violate Hilton’s Vulnerability Disclosure Program (VDP), for the limited purpose of conducting research under this program.

Thank you for helping keep Hilton and our customers safe!


This program crawled on the 2021-03-29 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy