7943 policies in database
Link to program      
2020-09-10
TTN Program logo
Thank
Gift
HOF
Reward

Reward

50 HKN 

TTN Program

Tickets Travel Network is one of the most distinctive and expansive travel distribution companies in the EMEA region. As a smart travel provider, we offer our customers wide range of products: flights, train and bus journeys, hotels, citybreaks, car rental, and other travel- and leisure-related services.

__Scope

In Scope

Target | Type | Severity | Reward
---|---|---|---

tickets.ua/ru/kz

| Web | Critical | Bounty

avia.tickets.ua/ru

| Web | Critical | Bounty

gd.tickets.ua/ru

| Web | Critical | Bounty

tickets.kz/gd

| Web | Critical | Bounty

bus.tickets.ua/ru

| Web | Critical | Bounty

hotels.tickets.ua/ru

| Web | Critical | Bounty

transfer.tickets.ua/ru

| Web | Critical | Bounty

car.tickets.ua/ru

| Web | Critical | Bounty

insurance.tickets.ua/ru

| Web | Critical | Bounty

my.tickets.ua/ru

| Web | Critical | Bounty

travel.tickets.ua

| Web | Critical | Bounty

railway.tickets.ua

| Web | Critical | Bounty

events.tickets.ua

| Web | Critical | Bounty

aeroexpress.tickets.ru

| Web | Critical | Bounty

tickets.kz/transfer

| Web | Critical | Bounty

tickets.kz/my

| Web | Critical | Bounty

tickets.kz/avia

| Web | Critical | Bounty

fatpayments.net

| Web | Critical | Bounty

__Rewards

Severity (CVSSv3) | Reward
---|---
Critical | 1000$
High | 600$
Medium | 300$
Low | 50$

__Focus Area

Testing Details

  • Authenticated testing is limited to the credentials you can self-provision or utilize any existing accounts you own - no supplemental credentials or access will be provided for testing.
  • Please use ?refid=123456 during the testing
  • For any booking select a date approximately 6 months in advance.
  • Be sure to use valid data and email addresses, excluding emails that contain “test” anywhere. it can be resulting in the account block
  • Be sure to cancel the booking immediately
  • For payments, you can use any valid credit card
  • Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion)
  • Please include remediation advice where possible

In Scope

  • Issues that result in a full compromise of a system
  • Business logic issues connected with booking flow resulting in a significant impact
  • Privilege escalation issues
  • Authentication bypass
  • Sensitive data exposure

Out Of Scope

  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues
  • Denial of service
  • Theoretical issues
  • Spam
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. MX records, SPF records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)

__Program Rules

  • ! Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Vulnerabilities found in any other regional domain with the same codebase will be considered the same vulnerability
  • Only the first valid bug is eligible for the reward
  • Don’t break any law and stay in the defined scope
  • The rewards will be paid out in HKN based on the current price
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

In Scope

Scope Type Scope Name
web_application

tickets.ua/ru/kz

web_application

avia.tickets.ua/ru

web_application

gd.tickets.ua/ru

web_application

tickets.kz/gd

web_application

bus.tickets.ua/ru

web_application

hotels.tickets.ua/ru

web_application

transfer.tickets.ua/ru

web_application

car.tickets.ua/ru

web_application

insurance.tickets.ua/ru

web_application

my.tickets.ua/ru

web_application

travel.tickets.ua

web_application

railway.tickets.ua

web_application

events.tickets.ua

web_application

aeroexpress.tickets.ru

web_application

tickets.kz/transfer

web_application

tickets.kz/my

web_application

tickets.kz/avia

web_application

fatpayments.net


Firebounty have crawled on 2020-09-10 the program TTN Program on the platform Hackenproof.

FireBounty © 2015-2020

Legal notices