Welcome to Priceline’s Bug Bounty Program

Priceline is committed to working with security experts across the globe to stay up-to-date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we welcome working with you. Please let us know about it and we’ll make every effort to quickly correct the issue.

Rules of Engagement

Program Rules

While we want our hackers to perform at their best, we also want to ensure that there is minimal disruption to our business. As research is being performed, please ensure the following:

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

You must adhere to HackerOne’s Disclosure Guidelines and everything outlined in this policy.

• We cannot reward or do business with any individual on any U.S sanction lists or any individual residing in any country on any U.S. sanctions lists. This includes residents of Cuba, Sudan, North Korea, Iran or Syria.

• Severity level is based on the CVSS scoring model; exceptions are granted at the sole discretion of the Priceline security team.

• Please check our Scope. Keep in mind that reports associated with other subdomains/domains will be closed with no award.

Testing Rules

• Do not attempt to access private customer information

• Never attempt to view, modify, or damage data belonging to others. If you need to test a vulnerability, create an account

• Do not attempt to affect our availability (denial of service, spam)

• Do not attempt to affect a product (hotel, flights, rental cars) availability by making unintended reservations

• Do not send reports from automated tools without verifying a working PoC

• Do not create bookings for testing purposes

• Please avoid submitting multiple reservations!

• If you submit a reservation, please make sure you cancel it

• Please provide your IP address in the bug report

• Use a custom HTTP header and mention that in your report. For example, a header that includes your username: X-Bug-Bounty:HackerOne-your-username. If the custom header is not used, the report will not be triaged

• When making an account or reservation, please use your HackerOne Email Alias (e.g., username@wearehackerone.com), so that we can properly identify you

Response Targets

Priceline will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 2 business days

• Time to bounty (from triage) - 1 business days (Max 2 weeks)

• Time to resolution - 30 days

All times indicated are business days.

Non-Qualifying Vulnerabilities and Exclusions:

• Session token in url. We know about the session token in the URL in some legacy portions of the site.

• XSS that isn't exploitable by an attacker for the following parameters: HTTP header like “Referer”, “User- agent”, “cookies”, etc.

• Name & Server Version disclosure

• Loading mixed content

• Missing http security headers

• Missing cookie flags on non-sensitive cookies

• Weak Password Policy

• Clickjacking

• Denial of service, distributed denial of service, or other availability attacks

• Physical attacks against any Priceline office or data center

• Email notification for user profile changes

• Social engineering, for example, phishing or calling, of any Priceline employee, contractor or agent

• Issues with any site or application not explicitly listed as in-scope

• Please don’t send us vulnerability scanner output. If it’s a real bug, you must provide steps to reproduce and/or a proof of concept. Any automated reports submitted will be closed without being triaged.

• Content Spoofing due to error pages or text injection

• Rate limiting issues

• Information disclosure through referer header (reset password token)

• Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector

• Web Browser XSS Protection is not enabled

• Email/user enumeration (report will be closed as informative)

• secure.rezserver.com client.js javascript file (report will be closed as informative)

• Similar weaknesses/reports will not be paid out as separate bounties. For example, XSS in multiple parameters in the same endpoint

• Reports containing Offernumbers and/or Express Deals for Hotel/Car/Air will not be taken into consideration (reports will be closed as informative)

• Google Maps API - Any report regarding Google Maps API will be closed as informative.

• Public xmlrpc.php files

• Browsable files that do not contain confidential data such as yarn.lock, package.json, or similar files.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.