==Please note this is a vulnerability disclosure program and does not award bounty.==

Vulnerability Disclosure Guidelines

Expedia Group recognizes the important role that security researchers play in helping to keep Expedia Group and our customers secure. By submitting a vulnerability to us either directly or indirectly you acknowledge that you have read and agree to abide by these guidelines.

If you believe you’ve discovered a security bug or vulnerability, please report it to us as soon as possible.

We thank you in advance for your contributions to our vulnerability disclosure program and look forward to working with you!

Expedia Group’s global Security team manages the receipt and internal coordination of security vulnerabilities related to Expedia properties. We aim to keep all involved parties, both internal and external, informed of our progress on validating and remediating reported vulnerabilities.

Assets in scope for our vulnerability disclosure program include web and Mobile applications for: *.expedia.com, *.hotwire.com, *.orbitz.com, *.hotels.com, *.homeaway.com, *.cheaptickets.com, *.travelocity.com, *.wotif.com, *.cruiseshipcenters.com, *.lastminute.com.au, *.carrentals.com, *.expediapartnercentral.com

*Please note .lastminute.com is NOT owned by Expedia Group and is out of scope.

Testing

If registering for accounts on Expedia assets, please use your @wearehackerone.com email alias.

If you use automated scanners, please set a header with your HackerOne username in your scanner requests to help us distinguish researcher traffic from malicious activity. (For example: X-hackerone: your_username)

Response Targets

Expedia Group will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 2 business days
• Time to resolution - varies by severity, 2 to 120+ days

Disclosure Policy

• Do not disclose your reported findings to others until we’ve had an opportunity to respond and address them. By keeping your reports private until we resolve them, you’re helping keep Expedia Group secure for our entire community.
• Disclosure requests must be coordinated with and approved by Expedia Group.
• To the extent that you disclose information about a vulnerability that has been fixed, you will remove all identifying information and not use Expedia Group’s name or trademarks or logos in your disclosure, or represent that any work provided by you was approved or endorsed by Expedia Group.
• To the extent that you have discovered an otherwise unreported vulnerability within an Open Source module or component in use on an Expedia Group site, you may disclose in accordance with HackerOne’s Disclosure Guidelines, as long as you remove all references to Expedia Group.
• Please reach out to us at [email protected] before engaging in conduct that is not addressed by this program policy.

Program Rules

These Vulnerability Disclosure Guidelines are limited to security vulnerabilities in Expedia Group-owned assets

• Please provide detailed reports with reproducible steps.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own.
• Please combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.
• Many of our sites share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the sites are in the same platform. For example, an issue reported for expedia.com may also be present in the exact same way on expedia.co.in and the issue can be resolved on both sites with the same fix. We ask that you take the time to replicate the issue in other sites, and if replicating, please include all occurrences in one report instead of submitting them as multiple reports. We treat the issue as a single vulnerability and will close out others as duplicates.

#Out of scope vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Physical or social engineering attempts (this includes phishing attacks against EG employees).
• Disclosure of known public files or directories.
• Use of outdated software / library versions.
• Reports from automated tools or scans.
• Mail configuration issues including SPF, DKIM, DMARC settings.

Safe Harbor

If your activities are conducted in a manner consistent with these guidelines and legal action is initiated by a third party against you in connection with such activities, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Expedia Group and our users safe!