The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability.
Skyscanner has been running a private bug bounty program that according to the company allowed it to discover and address over 200 flaws in its systems. Now Skyscanner is opening the bug bounty program to the public.
“For the past few years, we’ve run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.” reads the announcement of the bug bounty program published on Bugcrowd.
“We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.”
The bug bounty program covers the official skyscanner.net website, regional domains, the gateway.skyscanner.net API, both the iOS and Android apps, and the partnerportal.skyscanner.net website.
The company will pay for vulnerabilities affecting the profile, booking and partner portal sections.
Participants to the bug bounty program cannot access or modify travelers’ data, without explicit prior permission of the owner.
“Only interact with your own accounts or provided test accounts for security research purposes.” continues the announcement.
Researchers risk a 10% penalty if their submission is valid, but the rules haven’t been followed, Skyscanner said.
Skyscanner will pay up rewards up to $1,500/$2,000 per vulnerability such as security misconfigurations, server-side injection issues, broken authentication issues, sensitive data exposure, and cryptography-related bugs.
PRIORITY | REWARD | FOCUS AREA |
---|---|---|
P1 | $1500 | $2000 |
P2 | $900 | $1200 |
P3 | $300 | $400 |
P4 | $100 | $150 |
“It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.” Skyscanner added. “In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority,”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Skyscanner, bug bounty)
[adrotate banner=”5″] [adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.