Booking.com

Please note when researching any vulnerability please use your @wearehackerone.com email address this will help us to know on our internal monitoring tools that its a researcher from hackerone and not a malicious actor

Introduction

Booking.com is committed to working with security experts across the globe. It’s a big world and we believe that working with skilled security researchers from all corners of the globe is the key to identify the weaknesses in any technology. If you think you have found a security issue in our applications let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it.

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep Booking.com and our customers secure.

We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including our Program Terms, Prohibited Actions, Reward and Payout Guidelines, Rules of Engagement, vulnerabilities and applications which are in and out of scope for rewards.

Booking.Com Bug Bounty Updates

• 15th November,2023 - Program is public with changed scope
• 1st October,2019 - October Promotion launched for 2 weeks
• 7th May,2019 - Bounty Policy Updated
• 20th March,2019 - Bounty Payouts Updated
• 20th March,2019 - March Promotion launched for 2 weeks

*15h November 2023 - Program went public, in a phased approach.

##Program Terms

Your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to Booking.com B.V. (“Booking.com”) you acknowledge that you have read and agreed to the program policy and guidelines.

We recognize and reward security researchers who help us keep our customer data secure by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Booking.com’s discretion, based on risk, impact, and other factors.

If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report. Use test accounts when investigating issues. If you cannot reproduce an issue with a test account, you can use a real account (except for automated testing). Do not interact with other accounts without consent of the account owner.

When researching security issues, especially those which may compromise the privacy of others, you must use only test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Booking.com users (e.g., spam, denial of service) will disqualify the report. Activity that is disruptive to Booking.com operations will result in account bans and disqualification from the bounty program. Please refer to “Prohibited Actions” section in the policy.

At this time Booking.com is not permitting public disclosure of submitted reports.

##Prohibited Actions

• Exploiting a security issue with malicious payload which can result into but not limited to DOS, exposure of sensitive information, business disruption, spamming customers, partners or Booking.com employees.
  (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• Interaction with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
• Violation of any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
• You are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
• Publicly disclosure of reported vulnerabilities. Disclosing a vulnerability, directly or indirectly (i.e. posting it in public video streams, listed or not), will render the associated report ineligible for bounty. All resources (PoC files, videos, etc.) required to reproduce an issue, must not go outside the possession of the researcher, HackerOne.com, or Booking.com.
• Do not attempt to affect a property's (hotel) availability by making unintended reservations
• Do not send reports from automated tools without verifying a working PoC
• Do not attempt to create properties for testing purposes
• Do not book listed properties for testing purposes
• Uploading files that allow arbitrary commands (i.e. a webshell)
• Creation of test or fake properties
• Modification of any files or data, including permissions
• Deletion of any files or data
• Interruption of normal operations (e.g. triggering a reboot)
• Creation and maintenance of a persistent connection to the server
• Intentionally viewing any files or data beyond what is needed to prove the vulnerability
• Contacting Booking.com employees directly for support, sales, or requests related to a submitted report
• Mass creation of users, groups, and projects
• Typo-squatting or other name-squatting
• Spam-like or other high volume activity
• Using automated scanning tools to scan Booking.com assets
• Using malicious payloads while confirming stored XSS

Please do not email the program team directly. All communications regarding submissions should be done via the HackerOne platform.*

Rules of Engagement

To potentially qualify for a bounty, you first need to meet the following requirements:

• Adhere to our “Program Terms” and do not perform any of the “Prohibited actions” listed in this policy.
• Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk.
• Your report must describe a problem involving one of the products or services listed under “In-Scope Applications”
• Your report must not be for a security issue listed under “Out of Scope and False Positives”.
• Your report includes all of the following: - Full description of the vulnerability being reported, including the exploitability and impact description. - Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos - Screenshots - Exploit code/payload - Web/API requests and responses - Email address or user ID of any test accounts - IP address used during testing

##Payouts

We determine bounty amounts based on a variety of factors, including (but not limited to) Impact, classification and sensitivity of the data, ease of exploit and overall risk to Booking.com customers, partners, Booking.com brand.

Quality of the report If we pay a bounty, the minimum reward is $150. Note that extremely low-risk issues may not qualify for a bounty at all. We make consistent payout amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future. In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Booking.com determines duplicates and may not share details on the other reports.) For different attack vectors that result in the same mitigation, Booking.com reserves the right to reward the first report that is validated for that fix. All subsequent reports that are addressed by that mitigation will be considered as duplicates, regardless of the attack vector. We reserve the right to publish reports (and accompanying updates).

All determinations and decisions as to the amount of a bounty payout by Booking.com are final.

Promotions:

From time to time, Booking.com offers promotions in connection with the Bug Bounty Program. Reports submitted for consideration may be subject to additional governing rules for that promotion as described in those rules, which are or will be made available here (in this section).

##Scope

##In Scope Assets For in Scope Assets please refer to the Scope tab

Out-Of-Scope Applications Any application whether owned by Booking.com or third-party vendor not included as an in-scope asset will be mentioned on the scope tab as out of scope.

For Out Of Scope Assets please refer to the Scope tab

In-scope Vulnerabilities

Accepted, in-scope vulnerabilities include, but are not limited to:

• Disclosure of sensitive or personally identifiable information
• Cross-Site Scripting (XSS) - Please note, for XSS if the same issue is reported for the different subdomains but with the same root cause, it will be considered duplicate
• Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
• Remote code execution (RCE)
• Authentication or authorization flaws, including insecure direct object references and authentication bypass
• Injection vulnerabilities, including SQL and XML injection
• Directory traversal
• Significant security misconfiguration with a verifiable vulnerability
• Account takeover by exploiting a vulnerability
• SSRF
• XXE
• Subdomain takeover in *.booking.com domains

Out-Of-Scope Vulnerabilities Depending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive recognition. Please note that our program terms and rules of engagement still apply.

The following issues are outside the scope of our vulnerability rewards program:

• Incorrect permission check for different roles at admin.booking.com
• Any vulnerability which requires access to a compromised email account or Booking.com account for successful exploitation
• Vulnerabilities on Third Party Products
• Attacks requiring physical access to a user's device or network.
• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Login/Logout CSRF
• Missing security headers which do not lead directly to a vulnerability
• Use of a known-vulnerable library (without evidence of exploitability)
• Reports from automated tools or scans
• Social engineering of Booking staff or contractors
• Denial of Service attacks and/or reports on rate limiting issues
• Not enforcing certificate pinning
• Any issues that require a rooted or jailbroken device or a compromised device
• Clickjacking
• Improper session invalidation
• User enumeration
• Host header injections without a specific, demonstrable impact
• Self-XSS, which includes any payload entered by the victim
• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
• Content spoofing without embedded HTML or JavaScript
• Hypothetical issues that do not have any practical impact
• Infrastructure vulnerabilities, including:
• Issues related to SSL certificates
• DNS configuration issues
• Server configuration issues (e.g. open ports, TLS versions, etc.)
• Recently disclosed zero-day vulnerabilities

Thanks

We believe in recognizing the work of others. If your work helps us improve the security of our service, we'll happily acknowledge your contribution.

Legal

We, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award --whether to give one and in what amount-- is a decision that lies entirely within our discretion.

Finally, and needless to say, please do not violate any laws when conducting your tests. Booking.com is committed to working with security experts across the globe. We believe that working with skilled security researchers from all over the world is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our applications let us know via HackerOne and we’ll work with you to fix it. Please submit your finding through www.hackerone.com/disclosure-assistance for review.

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognise the important role that security researchers and our user community play in helping to keep Booking.com and our customers secure.