Keeping traveller's information safe and secure is a top priority and a core company value for us at Skyscanner. We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution to the security of all Skyscanner travellers.
For the past few years, we've run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.
We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.
We encourage thorough proof-of-concept/replication of the bug, including videos, images, and a description of the business impact. These will all factor into our bounty decision-making process.
To promote the discovery and reporting of vulnerabilities, we ask that you:
We will only reward the first report of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.
We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).
We expect researchers to follow the program rules:
Researchers must :
firstname.lastname@example.org address for accounts
In addition, we count the following activities as strictly prohibited , and thus not rewardable. These are in addition to the Bugcrowd Vulnerability Rating Taxonomy:
We are under no obligation to payout for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies. We reserve the right to withdraw this scheme at any time and shall have no obligation to payout for any bugs submitted after closure of the scheme. We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above. Following the guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission.
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We will award higher bounties for all valid submissions contained in our Focus Areas.
Priority | Reward | Focus Area
P1 | $1500 | $2000
P2 | $900 | $1200
P3 | $300 | $400
P4 | $100 | $150
Not Applicable. Please detail all affected fields in a single submission.
Not Applicable. Once we have implemented a fix we may ask you to re-test the vulnerability with similar payloads. We very much appreciate the work of the security community as we strive to provide our customers with the very safest products.
Target name | Type
skyscanner.net/* | Website
gateway.skyscanner.net/* | API
Skyscanner iOS App | iOS
Skyscanner Android App | Android
partnerportal.skyscanner.net/* | Website
Target name | Type
Corporate Email (*@skyscanner.net) | Other
Subdomains (*.skyscanner.net/*) | Website
Below is a summary of all the targets we will consider submissions for. Please read this section thoroughly for more information on each target, as well as our main Focus Areas.
skyscanner.fr/*) will be considered the same vulnerability
*.skyscanner.net/*) are Out of Scope unless otherwise specified
Vulnerabilities found in third party products are unlikely to be rewarded unless they are unique to our configuration or present a serious business risk (at our discretion).
The Direct Booking flow cannot be reached directly through the above URL. Instead, follow these steps for web and mobile :
London Heathrow (LHR).
Airlinesfilter, uncheck every option besides
Selecton any flight. On mobile, tap on the flight, then press
The following issues are outside the scope of our rewards program:
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.