Banner object (1)

4217 policies in database
  Back Link to program      
Hyatt Hotels logo
Hall of Fame


Hyatt Hotels

At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.

Keeping Guests Safe

Hyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!

In-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.

By participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.

Hyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.


Hyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 1 business days
  • Time to triage (from report submit) - 1 business days
  • Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur

Critical = 30 days
High = 60 days
Medium = 90 days
Low = N/A

We’ll try to keep you informed about our progress throughout the process.
Due to COVID-19, remediation may take longer than expected.

Disclosure Policy

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines .

Program Rules and Bounty Eligibility

  • Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.

  • Do not destroy or alter discovered data.

  • Do not inappropriately store Hyatt information in public locations i.e., GitHub.
  • Do not intentionally harm other guests as well as their experience.
  • Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.

  • Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.

  • Current Hyatt employees and contractors cannot participate in this program.
  • You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.
  • Only submit vulnerability reports through the HackerOne platform.

  • A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced.

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Limit automation/rate scraping to 100 requests per minute.
  • Cancel all reservations created by test accounts.

Submission Requirements

Testing Requirements

Test Accounts

Create World of Hyatt test accounts to these specifications:

  • First name: (for multiple accounts - one, two, etc.).
  • Last name: " Test ".

Reservation Requirements

If you must create bookings for testing purposes, follow these rules:

  • Test bookings should be made four months into the future at a minimum.
  • All test bookings should be canceled as soon as possible.
  • Do not book New York City or Chicago properties for testing purposes.
  • If possible, add "HackerOne" to the comments of bookings.


Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.

In Scope


  • ( no additional subdomains unless explicitly mentioned ).
  • (no additional subdomains).
  • (no additional subdomains).
  • (no additional subdomains).
  • (no additional subdomains).
  • Hyatt Hotels Mobile Application (Android & iOS).
  • New payment page (details within the Scope section below).


  • Authentication bypass.
  • Back-end system access via front-end systems.
  • Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).
  • Container escape.
  • Discovery of Hyatt data on public cloud storage services.
  • Highly creative means of automating account checking or rate scraping (e.g., botting).
  • Highly creative means of discovering origin IP.
  • Highly creative means of spoofing email messages.
  • Publicly available cloud systems that may host Hyatt information.
  • SQL Injection.
  • Cross-Site Request Forgery.
  • Exploitable Cross-Site Scripting.
  • WAF bypass.

Out of Scope


  • Any other Hyatt assets not specifically listed as in-scope.
  • Hotel properties and their physical and networks infrastructure.
  • Hyatt corporate information systems.
  • Third-party companies that perform business transactions for Hyatt employees and contractors.


When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.
  • Attacks requiring physical access to a user’s device.
  • Attacks requiring physical access to a Hyatt employee, contractor or guest device.
  • Autocomplete on web forms.
  • Clickjacking, unless an effective exploit can be demonstrated.
  • Client browser vulnerabilities.
  • Denial of Service attacks on Hyatt infrastructure.
  • Limited content reflection or content spoofing.
  • Missing best practices.
  • Password and account recovery policies.
  • Password policies, i.e., complexity.
  • Phishing or spear phishing attacks.
  • Rate-limiting issues on endpoints that do not disclose PII or other relevant information.
  • Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).
  • Self-exploitation.
  • Social engineering attacks.
  • Software version disclosure.
  • SSL / TLS best practices.
  • Vulnerabilities that cannot be reproduced.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

SQL Injection Policy

  • Do not alter any data.
  • Do not change or interrupt server or database functionality.
  • Do not destroy any data.
  • Do not read or save sensitive data belonging to guests other than yourself.
  • Blindly counting rows and columns of databases is permissible.

  • Generating outbound DNS requests is permissible.

  • Listing database names and columns is permissible.
  • Logic responses are permissible.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Hyatt Hotels and our guests safe!

In Scope

Scope Type Scope Name












  • First name: (for multiple accounts - one, two, etc.).
  • Last name: " Test ".

This program have been found on Hackerone on 2019-01-10.

FireBounty © 2015-2020

Legal notices