British Airways Vulnerability Disclosure Program

Introduction

Welcome to the British Airways Vulnerability Disclosure Program.

The safety and security of our customers, colleagues, and services is at the heart of everything we do. We recognize the vital role that security researchers and the wider hacker community play in helping us safeguard our digital ecosystem.

By responsibly reporting security issues, you help us protect millions of people who trust British Airways when they travel. We are grateful for your partnership and commitment to making aviation more secure for everyone.

If you believe you've discovered a qualifying security vulnerability in a British Airways asset, service, or website, please submit a report through HackerOne in accordance with the guidelines below. Reports should include a detailed description of your discovery, with clear, reproducible steps or a working proof-of-concept.

Thank you for working with us to keep British Airways systems resilient, reliable, and secure.

Program highlights

• Closed Scope: Only accepts reports based on the listed scope.
• Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
• Coordinated Vulnerability Disclosure: Standard process followed.
• Top Response Efficiency: This program's response efficiency is above 90%.
• Managed by HackerOne
  • Average time to first response: 11 hours
  • Average time to triage: 1 day, 18 hours
  • Average time to resolution: 2 weeks, 1 day

Program Rules

When investigating vulnerabilities, please:

• Vulnerabilities must only be reported via the HackerOne platform. Reports submitted through other channels will not be recognized.

• Employees, service providers, and individuals in a working relationship with British Airways or any of its subsidiaries are excluded from participating in the program.

• Do not publicly disclose any details of a vulnerability without explicit written authorization from British Airways. Public disclosure is not permitted under this program.

• Do no harm: do not exploit vulnerabilities beyond the minimal testing required to demonstrate impact or indicator of a vulnerability.

• Avoid altering or deleting files, changing file permissions, or disrupting services.

• Do not attempt to exfiltrate any data under any circumstances.

• If sensitive information or personal data is inadvertently accessed, immediately cease testing and report the finding through HackerOne so that our security team can assist.

• Use only test accounts that you own or have explicit permission to use.

• Do not use a vulnerability to pivot into other systems or services.

• Denial of Service (DoS) testing is not permitted.

• Social engineering attacks (e.g., phishing, vishing, smishing) are prohibited.

• Do not conduct physical attacks against British Airways offices, data centers, or related infrastructure.

• Do not compromise the privacy, safety, intellectual property, or commercial interests of British Airways or third parties.

• Reports should include a detailed description of your discovery, with clear, reproducible steps or a working proof-of-concept. Reports lacking sufficient detail may not be triaged.

• Submit one vulnerability per report, unless multiple issues must be chained to demonstrate impact.

• Multiple vulnerabilities caused by a single root issue will be treated as one report.

• When duplicate reports occur, only the first valid submission will be triaged.

• Do not submit a high volume of low-quality reports.

• If in doubt at any point, pause testing and contact our security team via HackerOne for clarification.

Qualifying Vulnerabilities

British Airways is particularly interested in reports that demonstrate meaningful security impact. Examples include:

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Insecure Direct Object References (IDOR)
• Authentication or Authorization bypasses
• Injection vulnerabilities (e.g., SQL, LDAP, XML, command)
• Server-Side Code Execution (RCE)
• Privilege Escalation
• Directory Traversal
• Information Disclosure with real-world impact
• Security Misconfigurations that expose sensitive data or enable attack scenarios
• Open Redirects (only where a realistic impact can be demonstrated)

British Airways reserves the right to reject submissions that do not meet these criteria or where impact cannot be clearly demonstrated.

Non-Qualifying Vulnerabilities

The following are out of scope and will not be accepted as valid reports:

• Vulnerabilities disclosed without clear, reproducible steps or a working proof-of-concept
• Clickjacking or UI redressing attacks without impact
• Logout CSRF
• Descriptive error messages, banner disclosures, or stack traces without exploitability
• Lack of Secure/HTTPOnly cookie flags or missing security headers (unless demonstrably exploitable)
• Support for outdated SSL/TLS ciphers or common SSL attacks (e.g., BEAST, BREACH)
• Subdomain takeovers without a full proof-of-concept
• Content spoofing or text injection without a demonstrated attack vector
• Vulnerabilities requiring unrealistic user interaction (e.g., user manually pasting in an XSS payload)
• Flaws in networking protocols, industry standards, or outdated third-party software not controlled by British Airways
• Issues in code, infrastructure, or services not owned/operated by British Airways
• Vulnerabilities that require physical access, hardware modification, or device ownership to exploit
• Reports involving:
  • Onboard aircraft systems or avionics
  • Internal corporate systems or employee portals
  • Third-party services not owned by British Airways
  • Denial of Service (DoS) attacks
  • Social engineering of British Airways staff, contractors, or customers

Responsible Disclosure

British Airways supports responsible disclosure and asks that researchers:

• Act responsibly and within this policy, submitting all findings directly to British Airways.

• Report vulnerabilities promptly and provide thorough, actionable details so our security team can assess and address issues quickly.

• Uphold integrity and professionalism, avoiding misleading, coercive, or malicious behavior.

• Do not publicly disclose any vulnerability, indicator, or associated details. Public disclosure is strictly prohibited under this program unless explicitly authorized in writing by British Airways.

• Ensure reports are clear, detailed, and reproducible, including proof-of-concept code, screenshots, or other evidence as needed. Reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.