TUI Vulnerability Disclosure Policy The security of our customers’ data, the integrity and protection of our confidential information and our business and the reliability of our systems and platforms, are of utmost importance to the TUI Group (referred to here as “us”, “our” or “we”). Therefore, we aim to design and build our systems and platforms with the highest levels of security and reliability. Despite our best efforts, due to the highly complex and sophisticated nature of our systems and platforms, vulnerabilities and errors may still be present .

We highly appreciate your efforts in identifying any vulnerability or error. Reporting such vulnerabilities and errors will help us improve the security and reliability of our systems and platforms.

This policy describes our approach to requesting and receiving reports related to potential vulnerabilities and errors in our systems and platforms from those that interact with such systems and platforms.

We encourage customers, users, researchers, partners and any other person that interacts with our systems and platforms (referred to here as “you”) to report identified vulnerabilities and errors with such systems and platforms to us.

Our preferred method for contacting us regarding such vulnerabilities and errors is by using the form present on this page.

Please note that supplying your contact information with your report is entirely voluntary. We will make use of all reports that are submitted, both those submitted anonymously and those with contact information. If you do submit your contact information, we will only use such information to get in touch with you regarding clarifying the details of your report, if that is necessary. We do not guarantee that you will receive any response related to your report. 

By making a report to us regarding any vulnerabilities or errors, you agree we may use your report for any purpose deemed relevant by us.

We will not seek prosecution of any security researcher who reports any security vulnerability on a TUI website, application, or service where the researcher has acted in good faith and in accordance with this disclosure policy

Please also confirm to us that you:

• Have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to us), the discovered vulnerabilities and/or errors;
• Have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you may have accessed or may be able to access;
• Have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
• Have not tested, and will not test, the physical security of any property or building of ours;
• Have not breached, and will not breach, any applicable laws in connection with your investigation or report.
• Agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that a vulnerabilities and/or errors has been reported to us.
• Agree that you are making your report without any expectation of reward or other benefit for making such report.

If you make a report thank you for your assistance.