Skyscanner launches a public bug bounty program

The popular travel search website Skyscanner is going to launch a bug bounty program, the company will pay up to $2,000 per vulnerability.

The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability.

Skyscanner has been running a private bug bounty program that according to the company allowed it to discover and address over 200 flaws in its systems. Now Skyscanner is opening the bug bounty program to the public.

“For the past few years, we’ve run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.” reads the announcement of the bug bounty program published on Bugcrowd.

“We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.”

The bug bounty program covers the official skyscanner.net website, regional domains, the gateway.skyscanner.net API, both the iOS and Android apps, and the partnerportal.skyscanner.net website.

The company will pay for vulnerabilities affecting the profile, booking and partner portal sections.

Participants to the bug bounty program cannot access or modify travelers’ data, without explicit prior permission of the owner.

“Only interact with your own accounts or provided test accounts for security research purposes.” continues the announcement.

• add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
• use your username@bugcrowdninja.com email address for accounts
• not access or modify our, or our travellers’ data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
• contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
• perform testing and research only within the areas that are in scope
• follow the Bugcrowd Coordinated Disclosure rules“

Researchers risk a 10% penalty if their submission is valid, but the rules haven’t been followed, Skyscanner said.

Skyscanner will pay up rewards up to $1,500/$2,000 per vulnerability such as security misconfigurations, server-side injection issues, broken authentication issues, sensitive data exposure, and cryptography-related bugs.

PRIORITY	REWARD	FOCUS AREA
P1	$1500	$2000
P2	$900	$1200
P3	$300	$400
P4	$100	$150

“It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.” Skyscanner added. “In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority,”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Skyscanner, bug bounty)

[adrotate banner=”5″] [adrotate banner=”13″]