Banner object (1)

Hack and Take the Cash !

794 bounties in database
  Back Link to program      
Priceline logo
Hall of Fame


100 $ 


Welcome to Priceline’s Bug Bounty Program

Priceline is committed to working with security experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we’d welcome working with you. Please let us know about it and we’ll make every effort to quickly correct the issue.

Rules of Engagement

Program Rules

While we want our hackers to perform at their best, we also want to ensure that there is minimal disruption to our business. As research is being performed, please ensure the following:

  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. You must adhere to Hackerone’s Disclosure Guidelines and our everything outlined in this policy.
  • We cannot reward or do business with any individual on any U.S sanction lists or any individual residing in any country on any U.S. sanctions lists. This includes residents of Cuba, Sudan, North Korea, Iran or Syria.
  • Severity level is at the sole discretion of the Priceline security team
  • Please check our Scope. Keep in mind that reports associated to other subdomains/domains will be closed with no award.

Testing Rules

  • Do not attempt to access private customer information
  • Never attempt to view, modify, or damage data belonging to others. If you need to test a vulnerability, create an account
  • Do not attempt to affect our availability (denial of service, spam)
  • Do not attempt to affect a product (hotel, flights, rental cars) availability by making unintended reservations
  • Do not send reports from automated tools without verifying a working PoC
  • Do not create bookings for testing purposes
  • Please avoid submitting multiple reservations!
  • If you submit a reservation, please make sure you cancel it.
  • Please provide your IP address in the bug report.
  • Where possible, use a custom HTTP header as well, and mention that in your report. For example: A header that includes your username: X-Bug-Bounty:HackerOne-your-username
  • When making an account or reservation, please use your HackerOne Email Alias (e.g.,, so that we can properly identify you.

Response Targets

Priceline will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 1 business days (Max 2 weeks)
  • Time to resolution - 30 days

All times indicated are business days.

Non-Qualifying Vulnerabilities and Exclusions:

  • Session token in url. We know about the session token in the URL in some legacy portions of the site.
  • XSS that isn't exploitable by an attacker for the following parameters: HTTP header like “Referer”,“User agent”, “cookies”, etc
  • Name & Server Version disclosure
  • Loading mixed content
  • Missing http security headers
  • Missing cookie flags on non-sensitive cookies
  • Weak Password Policy
  • Clickjacking
  • Denial of service, distributed denial of service, or other availability attacks
  • Physical attacks against any Priceline office or data center
  • Email notification for user profile changes
  • Social engineering, for example phishing or calling, of any Priceline employee, contractor or agent
  • Issues with any site or application not explicitly listed as in-scope
  • Please don’t send us vulnerability scanner output. If it’s a real bug, you provide must steps to reproduce and/or a proof of concept. Any automated reports submitted will be closed without being triaged.
  • Content Spoofing due to error pages or text injection
  • Rate limiting issues
  • Information disclosure through referer header (reset password token)
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • Vulnerabilities associated to /pws/v0/customer API
  • Web Browser XSS Protection is not enabled
  • Email/user Enumeration (we will close them as informative)
  • client.js javascript file

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

In Scope

Scope Type Scope Name







  • Don't use automated tools or scanners
  • Don't DDoS
  • Missing best practices in HTTP header configuration.
  • Any activity that could lead to the disruption of our service (DoS)
  • Missing best practices in SSL/TLS configuration
  • Account/email enumeration issues
  • Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly)
  • Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure
  • Hotel: BookRequest
  • Air: All endpoints
  • Car: All endpoints
  • Custom: All endpoints

  • In request headers use 'hackerone-{your username}' for user-agent
  • Keep low volume of requests - Automated testing is not permitted
  • Do not Fuzz Contact forms
  • Do not Fuzz "Request Account Activation" & "Request Product Activation"
  • Do not Fuzz request for "Change Request under Sites"
  • Do not modify other hacker_* user accounts under Hacker one test account
  • CSRF
web_application* __


iOS App __

Out of Scope

Scope Type Scope Name

Firebounty have crawled on 2019-08-06 the programe Priceline on the platform Hackerone.

FireBounty © 2015-2020

Legal notices