Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.

Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.

Upon receipt of your report, we will communicate timelines for triaging, paying out your report, and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.

Note: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.

This program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.

Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules

Table of Contents

• Program Scope
• Program Rules
• Rewards
• Eligibility
• Special Testing Requirements
  • HotelTonight Testing Requirements
• Out of Scope Vulnerabilities (no reward)
  • Applicable to HotelTonight
• Other Information

Program Scope

In Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.

Program Rules

• Do not mass create accounts to perform testing against Airbnb applications and services.
• Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Only interact with accounts you own or with explicit permission of the account holder.
• Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.
• No testing on real user data permitted for any HotelTonight assets.
• 3rd Party assets are not covered in our program. Our program applies to components under our control.

Rewards

Our maximum bounty is $25,000 USD. Reward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding. If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.

High Impact Scope Payout Range

Low Impact Scope Payout

Vulnerability Type|Severity Range| |-------------------|-----------------|-----------------| | Remote Code Execution (RCE) | Critical | | SQL Injection | High - Critical | | Improper Direct Object Reference (IDOR) | Medium - Critical | | Sensitive Data Exposure| Medium - Critical | | Server Side Request Forgery (SSRF) | Low - Critical | | Local file Inclusion | Medium - High | | Stored Cross Site Scripting | Medium - High | | Significant Authentication Bypass | Medium - High | | Authorization Flaw | Medium - High | | Cross-Site Request Forgery (CSRF) | Low - Medium | | Open Redirect on Sensitive Parameter | Low - Medium | | Reflected/Other Cross Site Scripting | Low - Medium | | Open Redirect | Low - Medium | | DNS Subdomain Takeover | Low - Medium |

##Highest Impact Scope

• *.airbnb.com
• *.airbnb.org
• *.musta.ch
• *.airbnbpayments.com
• All localized airbnb sites (e.g., es.airbnb.com, it.airbnb.com)
• Airbnb iOS app
• Airbnb Android app

Lower Impact Scope

These properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.

• *.atairbnb.com
• *.withairbnb.com
• *.airbnbcitizen.com
• *.byairbnb.com
• *.muscache.com
• *.airbnb-aws.com
• *.luxuryretreats.com
• *.airbnbopen.com
• hoteltonight-test.com
• *.hoteltonight.com
• api.hoteltonight-test.com
• places.hoteltonight-test.com

Please remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports.

Eligibility

Airbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.

To qualify for a reward under this program, you should:

• Be the first to report a vulnerability.
• Send a clear textual description of the report along with steps to reproduce the vulnerability.
• Include attachments such as screenshots or proof of concept code as necessary.
• Disclose the vulnerability report directly and exclusively to us.

A good Bug Bounty report should include the following information at a minimum:

• List the affected endpoints, URL(s), and any additional parameters
• Step by step instructions so we can reproduce the finding to verify the vulnerability
• Full written details of the finding *Account Configuration: User type (Guest, Host, ProHost, SuperHost) *Severity: Use the Hackerone calculator to calculate the severity you believe matches your report *Asset: Select the asset that is impacted by your finding *Weakness: Select the weakness associated with your report

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:

• Denial of service attacks
• Phishing attacks
• Social engineering attacks
• Reflected file download
• Software version disclosure
• Issues requiring direct physical access
• Flaws affecting out-of-date browsers and plugins
• Publicly accessible login panels
• CSV injection
• Email enumeration / account oracles that do not provide any extra information.
• CSP Weaknesses
• Email Spoofing
• Content redaction bypasses where the redacted content is replaced by the string (Hidden by Airbnb) (other content redaction vulnerabilities are in scope)
• Techniques allowing you to view user profile photos (these are considered public)
• Broken links or unclaimed social media accounts (unless chained with an impactful exploit)

Applicable to HotelTonight

• hoteltonight.com
• hoteltonight.build
• hoteltonight-test.com
• Our partners site (partners.hoteltonight.com)
• iOS mobile app
• Single Sign On (Google or Facebook).
• Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business.

HotelTonight Testing Requirements

Researchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers.

HotelTonight Mobile Web App

• Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)

HotelTonight Mobile APIs Mobile APIs that power our mobile apps are located at:

• api.hoteltonight-test.com
• places.hoteltonight-test.com

HotelTonight Cities and Inventory In our testing environment, you should search for following cities to look for hotels:

• San Francisco
• Las Vegas
• New York City

HotelTonight Access You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.

HotelTonight Credentials Researchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.

Other Information

• Researchers who have our thanks
• Past versions of this policy