KAYAK is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you.

Scope

Scope is outlined in the structured scope section. Please do not submit the same report for multiple domains. Only one report will be accepted.

Eligible Vulnerabilities

• You must be the first person to report a vulnerability.

• Please share with us the full details of any problem you find.

• The vulnerability must be on an in-scope site or application.

• Qualification of vulnerabilities is at the sole discretion of the KAYAK security team.

• The vulnerability must be reproducible on a reasonably recent version of the according client (e.g., at least Microsoft Edge, Chrome 100, Firefox 99, Safari 15)

• Vulnerabilities raised on the Android or iOS apps must be against the latest app store versions

Non-Qualifying Vulnerabilities and Exclusions

• Denial of service, distributed denial of service, or other availability attacks.

• Any techniques related to web scraping

• Brute force attacks against passwords, hash secrets etc.

• Physical attacks against any KAYAK office or data center.

• Social engineering, for example phishing or calling, of any KAYAK employee, contractor or agent.

• One of the following issues without a proof-of-concept that successfully exploits the issue:

• SSL configuration

• HTTP response headers including cookie configuration

• Logout CSRF and CSRF on endpoints that do not change user state. MITM attacks against a user's CSRF token.

• Issues with any site or application not explicitly listed as in-scope.

• Problems found in our iOS apps before v183 and Android apps before v152

• Issues introduced by third-party components that have not been fixed by the vendor yet. This also includes vulnerabilities introduced by content served through one of our ad networks.

• Third-party content served on HTTP when KAYAK is accessed on HTTPS. Particularly with ad networks we have no direct control.

• Clickjacking (except rare, highly sensitive cases)

• Attacks that require a mobile phone or tablet to be "rooted". Attacks that assume that a user intentionally or unintentionally disabled standard OS security features.

• Absence of SPF, DKIM, DMARC or domain lock records

• DNSSEC-related reports

• Lack of "best practices" that do not impose a vulnerability that can be leveraged (please send PoC)

• Missing or not obviously visible rate limiting - please do not test our endpoints for this as this makes noise that we usually pick up and act on

• Vulnerabilities in third-party software and systems that we use. We are patching components on a regular basis according to our risk assessments.

• Vulnerable domain/DNS configuration are only in scope as long as they involve our core assets as listed in this program. For example, a domain takeover of some-service.kayak.com is a valid finding while a domain takeover of any other domain owned by us but not part of our core assets is not.

• We cannot reward or do business with any individual on any U.S sanction lists or any individual residing in any country on any U.S. sanctions lists. This includes residents of Cuba, Sudan, North Korea, Iran, Syria or Russia.

• Severity level is at the sole discretion of the KAYAK security team.

Rules of Engagement

• Use a custom HTTP header and mention that in your report. For example, a header that includes your username: X-Bug-Bounty:HackerOne-your-username.

• When making an account or reservation, please use your HackerOne Email Alias (e.g., username@wearehackerone.com), so that we can properly identify you

• Do not compromise any customer accounts or data. Never attempt to view, modify, or damage data belonging to others. If you need to test a vulnerability, create an account.

• Do not use automated tools that could generate significant traffic and possibly impair the functioning of our services.

• Do not discuss or post details of your vulnerability outside of the HackerOne platform before it has been approved for disclosure.

• Do not attempt denial-of-service attacks. Keep your automated scanning to 10 requests per second or less.

• Please communicate with our security team via HackerOne.

• We may change the terms of this program at any time.

For any bugs pertaining to Information Disclosure, please do not capture and retain any personally identifiable or sensitive personal information (PII) during the course of your research. If you inadvertently view or change any PII not related to your own account, please stop testing immediately and submit a report with reproduction steps so that our team can evaluate the potential business impact of any exposed PII.

When possible, please employ methods that confirm elevated access without exposing PII, for example:

• Screenshots of navigation bar options or pages without PII that weren’t originally viewable.

• Improper access to another account you yourself control

• (in the case of gaining access to a company server) Access to common default files present on any server

Attributes of a Good Report and Bug Bounty Rewards

• Please provide a detailed report with precise explanations. Please include screenshots, proof-of-concept code, and steps to reproduce.

• Bug bounty rewards are solely at KAYAK's discretion, based on the severity and creativity of the bug.

• You must adhere to HackerOne's Disclosure Guidelines and everything outlined in this policy.

We are committed to ensuring the privacy and safety of our users. If you think that you have discovered a security vulnerability on our web site or within our mobile apps we appreciate your help in disclosing the issue to us. Please do this responsibly by giving us the opportunity to investigate and fix the vulnerability in a timely fashion before publicly disclosing it. Security vulnerability reports will be treated as high priority. We will validate and fix vulnerabilities in accordance with our commitment to security and privacy.