Bug Bounty Program Guidelines

Expedia Group recognizes the important role that security researchers play in helping to keep Expedia Group and our customers secure. By submitting a vulnerability to us either directly or indirectly you acknowledge that you have read and agree to abide by these guidelines. If you discover a site or product vulnerability please notify us using the guidelines below.

If you identify a security vulnerability on out of scope assets, please submit them to Expedia Group's Vulnerability Disclosure Program.

We thank you in advance for your contributions and look forward to working with you!

Expedia Group’s global Security team manages the receipt and internal coordination of security vulnerabilities related to Expedia properties. We aim to keep all involved parties, both internal and external, informed of our progress on validating and remediating reported vulnerabilities.

Response Targets

Expedia Group will make its best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submission) - 2 business days
• Time to triage (from report submission) - 4 business days
• Time to bounty - 7-15 days depending upon criticality and application complexity

Testing

If registering for test accounts, please use your @wearehackerone.com email alias.

To help us distinguish researcher traffic from malicious activity, please set a header with your HackerOne username in your scanner requests. (For example: X-hackerone: your_username)

Vulnerabilities on Third-Party Assets

Subdomains owned by third parties are listed within our scope instructions and are generally considered out of scope. Please note this list is not exhaustive and may expand over time.

Expedia Group does not control remediation on these assets, however, if you discover vulnerabilities in those assets in the course of testing Expedia Group, we will review and escalate the issues to the appropriate parties.

As always, please be mindful of your testing activities and limit scanner requests to no more than 100 requests per second.

Program Terms

Please note that your participation in the Expedia Group Bug Bounty Program is voluntary and subject to the terms and conditions set forth in this Policy (“Program Terms”). By submitting a vulnerability to us, you acknowledge that you have read and agree to the Program Terms.

You will be eligible to receive a bounty payment if: (i) you are the first person to submit the vulnerability; (ii) that vulnerability is determined to be a valid security issue by Expedia Group’s security team; and (iii) you are in compliance with all Program Terms.

Please fully and carefully read through the program scope and Prohibitions and Exclusions to make sure you are dedicating your time to identifying vulnerabilities that are within the scope of the bounty program. On a case-by-case basis, please note that Expedia Group may make exceptions and award a discretionary bounty or bonus for Critical vulnerabilities on out-of-scope assets.

These Guidelines are limited to security vulnerabilities in Expedia Group-owned assets.

• Expedia Group reserves the right to determine whether a vulnerability submitted to the Bug Bounty Program is eligible for a reward, and to determine the amount of the reward. Expedia Group may change the validity or severity of a vulnerability based on the security team's due diligence and/or root cause analysis.
• Please provide detailed reports with reproducible steps.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own.
• Please combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.
• Many of our sites share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the sites are in the same platform. For example, an issue reported for expedia.com may also be present in the exact same way on expedia.co.in and the issue can be resolved on both sites with the same fix. We ask that you take the time to replicate the issue in other sites, and if replicating, please include all occurrences in one report instead of submitting them as multiple reports. We treat the issue as a single vulnerability and will close out others as duplicates.
• Our sites also leverage Amazon AWS services. Please go through the AWS AUP before testing on AWS infrastructure. https://aws.amazon.com/security/penetration-testing/

Amazon prohibits:

• DNS zone walking via Amazon Route 53 Hosted Zones
• DoS or DDoS
• Port, protocol and/or request flooding.

To be eligible for the Bug Bounty Program, you must not:

• Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
• Be employed by Expedia Group or its subsidiaries;
• Be an immediate family member of a person employed by Expedia Group or its subsidiaries or affiliates

If it is discovered that you meet any of the criteria above, Expedia Group will remove you from the Bug Bounty Program and disqualify you from receiving bounty rewards.

#Disclosure Policy and Rules

• Researchers must adhere to HackerOne’s Disclosure Guidelines, and this Disclosure Policy and Rules to make a claim under Expedia Group’s Program. • If you believe you’ve discovered a security bug or vulnerability, report it to us as soon as possible. • Do not disclose your reported findings to others until we’ve had an opportunity to respond and address them. By keeping your reports private until we resolve them, you’re helping keep Expedia Group secure for our entire community. Disclosure requests must be coordinated with and approved by Expedia Group. • All information acquired as part of this program is confidential to Expedia Group, and you will not disclose or use this information for any purpose other than the performance of your services within the Program. To the extent that you disclose information about a vulnerability that has been fixed, you will remove all identifying information and not use Expedia Group’s name or trademarks or logos in your disclosure, or represent that any work provided by you was approved or endorsed by Expedia Group. • To the extent that you have discovered an otherwise unreported vulnerability within an Open Source module or component in use on an Expedia Group site, you may disclose in accordance with Hacker One’s Disclosure Guidelines, as long as you remove all references to Expedia Group. • You must comply with all applicable federal, state, and local laws in connection with your security research activities or other participation in this Program.

Safe Harbor

If your activities are conducted in a manner consistent with these guidelines and legal action is initiated by a third party against you in connection with such activities, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Expedia Group and our users safe!