Welcome to Skyscanner's Bug Bounty program

Keeping traveller's information safe and secure is a top priority for Skyscanner. We welcome the contribution of security researchers and look forward to rewarding them for their invaluable contribution to the security of all Skyscanner travellers.

We invite researchers to test the Skyscanner website and mobile apps in line with the principles set out in this brief.

Guidelines

We request thorough proof-of-concept/replication of the bug, including videos, images, and a description of the business impact. These will all factor into our bounty decision-making process.

To promote the discovery and reporting of vulnerabilities we ask that you:

• share the security issue with us in detail
• act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
• comply with all applicable laws
• understand that all valid reports will be taken seriously by our engineering teams

Expectations

We expect researchers to follow the program rules:

Researchers must:

• add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
• use your username@bugcrowdninja.com email address for accounts
• not access or modify our, or travellers' data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
• contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
• perform testing and research only within the areas that are in scope
• follow the Bugcrowd Coordinated Disclosure rules

In addition, we count the following activities as strictly prohibited, and thus not rewardable. These are in addition to the Bugcrowd Vulnerability Rating Taxonomy:

• Social Engineering attacks
• DDoS
• Excessive use of automated vulnerability / scanning tools
  • Please do not spam forms or account creation flows using automated scanners
  • We have a number of rate limits in place that may result in your IP address being blocked if you use such tools
• Any testing of corporate email (*@skyscanner.net)

We will offer monetary rewards for the first submitted report of a vulnerability.

Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.

We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).

We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above. Following the guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission

We are under no obligation to pay out for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies.

We reserve the right to withdraw this scheme at any time and shall have no obligation to pay out for any bugs submitted after closure of the scheme.

Rating & Reward Information:

For the initial prioritization/rating of findings, this program uses the Bugcrowd Vulnerability Rating Taxonomy. However, please note that in some cases, the priority rating will be altered due to reflect the likelihood or impact of an exploit. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We will award greater bounties for all valid submissions contained in our Focus Areas (see Target Information).

*The highest rewards will be reserved for submissions deemed to have high business criticality.

Other:

• Vulnerabilities found in multiple fields in the same form or using the same CSRF token will be counted as a single vulnerability. Subsequent submissions will be marked as Not Applicable. Please detail all affected fields in a single submission.
• Vulnerabilities that can be exploited with similar payloads on the same path are only eligible for a single reward. Subsequent submissions will be marked Not Applicable.

Safe Harbor compliance

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.