At Hyatt Hotels Corporation, our mission is to provide authentic hospitality
by making a difference in the lives of the people we touch every day. In
keeping with this mission, we respect fundamental human rights, as embodied in
the Universal Declaration of Human Rights.
Keeping Guests Safe
Hyatt takes the security of our guests and colleagues very seriously. By being
the first organization in the hospitality industry to embrace the
collaborative efforts of global security researchers, Hyatt hopes to continue
to raise its already high level of security standards as well as learn from
and collaborate with security researchers. If you have information about a
qualified security vulnerability that is within our predetermined scope, we
would love to hear from you!
In-scope vulnerabilities will be rewarded based on severity following
remediation. The Hyatt Bug Bounty program will only accept HackerOne
vulnerability reports containing original and validated vulnerabilities that a
potential attacker could use to compromise the confidentiality, integrity, and
or availability of the services in scope.
By participating in the Hyatt Bug Bounty program you agree to follow all of
the requirements below.
Hyatt Hotels looks forward to working with the security community to find
security vulnerabilities in order to keep our businesses and customers safe.
Hyatt Hotels will make a best effort to meet the following SLAs for hackers
participating in our program:
- Time to first response (from report submit) - 1 business days
- Time to triage (from report submit) - 1 business days
- Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur
Critical = 30 days
High = 60 days
Medium = 90 days
Low = N/A
We’ll try to keep you informed about our progress throughout the process.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines __.
Program Rules and Bounty Eligibility
Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.
Do not destroy or alter discovered data.
- Do not inappropriately store Hyatt information in public locations i.e., GitHub.
- Do not intentionally harm other guests as well as their experience.
Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.
Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.
- Current Hyatt employees and contractors cannot participate in this program.
- You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.
Only submit vulnerability reports through the HackerOne platform.
A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Limit automation/rate scraping to 100 requests per minute.
- Cancel all reservations created by test accounts.
Create World of Hyatt test accounts to these specifications:
- First name: (for multiple accounts - one, two, etc.).
- Last name: " Test ".
If you must create bookings for testing purposes, follow these rules:
- Test bookings should be made four months into the future at a minimum.
- All test bookings should be canceled as soon as possible.
- Do not book New York City or Chicago properties for testing purposes.
- If possible, add "HackerOne" to the comments of bookings.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring
Standard). Please note these are general guidelines, and that reward decisions
are up to the discretion of Hyatt Hotels.
- hyatt.com (no subdomain).
- www.hyatt.com __(no additional subdomains).
- world.hyatt.com (no additional subdomains).
- assets.hyatt.com (no additional subdomains).
- Hyatt Hotels Mobile Application (Android & iOS).
- Authentication bypass.
- Back-end system access via front-end systems.
- Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).
- Container escape.
- Discovery of Hyatt data on public cloud storage services.
- Highly creative means of automating account checking or rate scraping (e.g., botting).
- Highly creative means of discovering origin IP.
- Highly creative means of spoofing email messages.
- Publicly available cloud systems that may host Hyatt information.
- SQL Injection.
- Cross-Site Request Forgery.
- Exploitable Cross-Site Scripting.
- WAF bypass.
Out of Scope
- Any other Hyatt assets not specifically listed as in-scope.
- Hotel properties and their physical and networks infrastructure.
- Hyatt corporate information systems.
- Third-party companies that perform business transactions for Hyatt employees and contractors.
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
- Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.
- Attacks requiring physical access to a user’s device.
- Attacks requiring physical access to a Hyatt employee, contractor or guest device.
- Autocomplete on web forms.
- Clickjacking, unless an effective exploit can be demonstrated.
- Client browser vulnerabilities.
- Denial of Service attacks on Hyatt infrastructure.
- Limited content reflection or content spoofing.
- Missing best practices.
- Password and account recovery policies.
- Password policies, i.e., complexity.
- Phishing or spear phishing attacks.
- Rate-limiting issues.
- Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).
- Social engineering attacks.
- Software version disclosure.
- SSL / TLS best practices.
- Vulnerabilities that cannot be reproduced.
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
SQL Injection Policy
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep Hyatt Hotels and our users safe!