Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
06/08/2019
Priceline logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

In Scope

Scope Type Scope Name
android_application com.priceline.android.negotiator
other www.priceline.com/vp-web/*
web_application cruises.priceline.com
web_application www.priceline.com
web_application reservations.rezserver.com
web_application secure.rezserver.com
web_application www.bookingholdings.com
web_application Don't use automated tools or scanners
web_application Don't DDoS
web_application Missing best practices in HTTP header configuration.
web_application Any activity that could lead to the disruption of our service (DoS)
web_application Missing best practices in SSL/TLS configuration
web_application Account/email enumeration issues
web_application Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly)
web_application Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure
web_application Hotel: BookRequest
web_application Air: All endpoints
web_application Car: All endpoints
web_application Custom: All endpoints
web_application In request headers use 'hackerone-{your username}' for user-agent
web_application Keep low volume of requests - Automated testing is not permitted
web_application Do not Fuzz Contact forms
web_application Do not Fuzz "Request Account Activation" & "Request Product Activation"
web_application Do not Fuzz request for "Change Request under Sites"
web_application Do not modify other hacker_* user accounts under Hacker one test account
web_application CSRF
web_application iOS App __

Out of Scope

Scope Type Scope Name
web_application www.airportrentalcars.com

Priceline

Welcome to Priceline’s Bug Bounty Program

Priceline is committed to working with security experts across the globe to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we’d welcome working with you. Please let us know about it and we’ll make every effort to quickly correct the issue.

Rules of Engagement

Program Rules

While we want our hackers to perform at their best, we also want to ensure that there is minimal disruption to our business. As research is being performed, please ensure the following:

  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. You must adhere to Hackerone’s Disclosure Guidelines and our everything outlined in this policy.
  • We cannot reward or do business with any individual on any U.S sanction lists or any individual residing in any country on any U.S. sanctions lists. This includes residents of Cuba, Sudan, North Korea, Iran or Syria.
  • Severity level is at the sole discretion of the Priceline security team
  • Please check our Scope. Keep in mind that reports associated to other subdomains/domains will be closed with no award.

Testing Rules

  • Do not attempt to access private customer information
  • Never attempt to view, modify, or damage data belonging to others. If you need to test a vulnerability, create an account
  • Do not attempt to affect our availability (denial of service, spam)
  • Do not attempt to affect a product (hotel, flights, rental cars) availability by making unintended reservations
  • Do not send reports from automated tools without verifying a working PoC
  • Do not create bookings for testing purposes
  • Please avoid submitting multiple reservations!
  • If you submit a reservation, please make sure you cancel it.
  • Please provide your IP address in the bug report.
  • Where possible, use a custom HTTP header as well, and mention that in your report. For example: A header that includes your username: X-Bug-Bounty:HackerOne-your-username
  • When making an account or reservation, please use your HackerOne Email Alias (e.g., username@wearehackerone.com), so that we can properly identify you.

Response Targets

Priceline will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days
  • Time to bounty (from triage) - 1 business days (Max 2 weeks)
  • Time to resolution - 30 days

All times indicated are business days.

Non-Qualifying Vulnerabilities and Exclusions:

  • Session token in url. We know about the session token in the URL in some legacy portions of the site.
  • XSS that isn't exploitable by an attacker for the following parameters: HTTP header like “Referer”,“User agent”, “cookies”, etc
  • Name & Server Version disclosure
  • Loading mixed content
  • Missing http security headers
  • Missing cookie flags on non-sensitive cookies
  • Weak Password Policy
  • Clickjacking
  • Denial of service, distributed denial of service, or other availability attacks
  • Physical attacks against any Priceline office or data center
  • Email notification for user profile changes
  • Social engineering, for example phishing or calling, of any Priceline employee, contractor or agent
  • Issues with any site or application not explicitly listed as in-scope
  • Please don’t send us vulnerability scanner output. If it’s a real bug, you provide must steps to reproduce and/or a proof of concept. Any automated reports submitted will be closed without being triaged.
  • Content Spoofing due to error pages or text injection
  • Rate limiting issues
  • Information disclosure through referer header (reset password token)
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • Vulnerabilities associated to /pws/v0/customer API
  • Web Browser XSS Protection is not enabled
  • Email/user Enumeration (we will close them as informative)
  • secure.rezserver.com client.js javascript file

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

FireBounty © 2015-2019

Legal notices