Tickets Travel Network is one of the most distinctive and expansive travel distribution companies in the EMEA region. As a smart travel provider, we offer our customers wide range of products: flights, train and bus journeys, hotels, citybreaks, car rental, and other travel- and leisure-related services.

Scope

In Scope

Focus Area

Testing Details

• Authenticated testing is limited to the credentials you can self-provision or utilize any existing accounts you own - no supplemental credentials or access will be provided for testing.
• Please use ?refid=123456 during the testing
• For any booking select a date approximately 6 months in advance.
• Be sure to use valid data and email addresses, excluding emails that contain “test” anywhere. it can be resulting in the account block
• Be sure to cancel the booking immediately
• For payments, you can use any valid credit card
• Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion)
• Please include remediation advice where possible

In Scope

• Issues that result in a full compromise of a system
• Business logic issues connected with booking flow resulting in a significant impact
• Privilege escalation issues
• Authentication bypass
• Sensitive data exposure

Out Of Scope

• Vulnerabilities in third-party applications
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues
• Denial of service
• Theoretical issues
• Spam
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues
  • DNS issues (i.e. MX records, SPF records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)

Program Rules

• ! Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services or infrastructure
• Avoid compromising any personal data, interruption or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Vulnerabilities found in any other regional domain with the same codebase will be considered the same vulnerability
• Only the first valid bug is eligible for the reward
• Don’t break any law and stay in the defined scope
• The rewards will be paid out in HKN based on the current price
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission