Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.

We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.

Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.

This program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.

Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.

Table of Contents

• Program Scope

  • Highest Impact Scope

  • Lower Impact Scope

• Special Testing Requirements

  • Luckey Testing Requirements

  • HotelTonight Testing Requirements

  • Urbandoor Testing Requirements

• Program Rules

• Out of Scope Vulnerabilities (no reward)

  • Applicable to HotelTonight

  • Applicable to Luckey Homes

• Eligibility

• Rewards

• Other Information

Program Scope

Highest Impact Scope

• *.airbnb.com

• All localized airbnb sites (e.g., es.airbnb.com, it.airbnb.com)

• Airbnb iOS app

• Airbnb Android app

Lower Impact Scope

These properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.

• *.atairbnb.com

• *.withairbnb.com

• *.airbnbcitizen.com

• *.airbnb.org

• *.byairbnb.com

• *.muscache.com

• *.airbnb-aws.com

• *.luxuryretreats.com

• *.airbnbopen.com

• demo.urbandoor.com

• provider.demo.urbandoor.com

• admin.demo.urbandoor.com

• luckey.in

• luckey.fr

• luckey.es

• luckey.ca

• luckey.app

• luckey.com

• luckey.partners

• hoteltonight-test.com

• api.hoteltonight-test.com

• places.hoteltonight-test.com

Special Testing Instructions

Luckey Testing Requirements

Hackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.

If you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.

• If you post directly on the API endpoints, then add source=luckey_test in your POST payload

• Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads.

• If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.

The above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.

HotelTonight Testing Requirements

Researchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers.

Hotel Tonight Mobile Web App

• Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)

Hotel Tonight Mobile APIs

Mobile APIs that power our mobile apps are located at:

• api.hoteltonight-test.com

• places.hoteltonight-test.com

Hotel Tonight Cities and Inventory

On our staging environment, you should search for following cities to look for hotels:

• San Francisco

• Las Vegas

• New York City

Hotel Tonight Access

You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.

Hotel Tonight Credentials

Researchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.

Urbandoor Testing Requirements

Do NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow.

Program Rules

• Do not mass create accounts to perform testing against Airbnb applications and services.

• Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Only interact with accounts you own or with explicit permission of the account holder.

• Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.

• Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.

• No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:

• Denial of service attacks

• Phishing attacks

• Social engineering attacks

• Reflected file download

• Software version disclosure

• Issues requiring direct physical access

• Issues requiring exceedingly unlikely user interaction

• Flaws affecting out-of-date browsers and plugins

• Publicly accessible login panels

• CSV injection

• Email enumeration / account oracles

• CSP Weaknesses

• Email Spoofing

• Content redaction bypasses where the redacted content is replaced by the string (Hidden by Airbnb) (other content redaction vulnerabilities are in scope)

• Techniques allowing you to view user profile photos (these are considered public)

• Broken links or unclaimed social media accounts (unless chained with an impactful exploit)

Applicable to HotelTonight

• hoteltonight.com

• hoteltonight.build

• Our partners site (partners.hoteltonight.com)

• iOS mobile app

• Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment

• Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business.

Applicable to Luckey Homes

• Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).

Eligibility

Airbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.

To qualify for a reward under this program, you should:

• Be the first to report a vulnerability.

• Send a clear textual description of the report along with steps to reproduce the vulnerability.

• Include attachments such as screenshots or proof of concept code as necessary.

• Disclose the vulnerability report directly and exclusively to us.

A good bug report should include the following information at a minimum:

• List the affected endpoints, URL(s), and any additional parameters

• Directions so we can reproduce the finding to verify the vulnerability

• Full written details of the finding

Rewards

Our maximum bounty is $15,000 USD.

Reward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:

|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|

|-------------------|-----------------|-----------------|

| Remote Code Execution (RCE) | $15,000 | $5,000 |

| SQL Injection | $10,000 | $3,000 |

| Significant Authentication Bypass | $5,000 | $1,500 |

| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |

| Local file Inclusion | $2,500 | $750 |

| Stored Cross Site Scripting | $3,500 | $500 |

| Reflected/Other Cross Site Scripting | $2,500 | $500 |

| Sensitive Data Exposure| $1,500 | $500 |

| Authorization Flaw | $1,500 | $500 |

| Cross-Site Request Forgery (CSRF) | $1,500| $500 |

| Open Redirect on Sensitive Parameter | $1,500 | $500 |

| Improper Direct Object Reference (IDOR) | $1,500 | $300 |

| Open Redirect | $500 | $150 |

Please remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as "low-priority" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.

Other Information

• Researchers who have our thanks

• Past versions of this policy