Details

Introduction

At Hilton, our mission is to provide the light and warmth of hospitality to the world, by delivering an exceptional, safe, and reliable customer experience. In pursuit of this mission, we are partnering with HackerOne and the security community to launch the Hilton Bug Bounty program, and we want you to participate!

Response Targets

Hilton will make a best effort to respond within five business days to reports received through the Bug Bounty program. To be eligible for a reward, you must give Hilton reasonable time to investigate the reported vulnerability and you must respond to follow-up questions from Hilton or HackerOne.

Out of Scope

Booking of reservations is considered an out-of-scope activity. The following vulnerabilities also are out of scope:

All Social Media Account Takeover and Domain Takeover attacks.
Clickjacking on pages with no sensitive actions.
POST-based XSS attacks.
Open Redirect attacks.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing development best practices.
Missing best practices in SSL/TLS configuration.
Conflict with industry policies and standards.
Any activity that could lead to the disruption of a Hilton service (for example, DoS attacks).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Rate-limiting issues on endpoints that do not disclose PII or other relevant information.
Reports originating only from automated tools or scanners (e.g., Burp, nmap, etc.).
All files, regardless of labeling, are out of scope for the ir.hilton.com site.

Testing Requirements

==You must append the string “HackerOne” to your user agent for all HTTP/HTTPS traffic before performing any testing.== Example instructions on how to modify the user agent string for Chrome can be found here and for Burp Suite can be found here.

Submission Requirements

Vulnerability reports must be submitted to HackerOne and must meet HackerOne’s requirements (https://docs.hackerone.com/programs/submit-report-form.html)
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug.
Please suggest mitigation or remediation actions, if appropriate.

Rewards

Valid, in-scope findings submitted to the Hilton Bug Bounty program will be rewarded based on the severity of the vulnerability. The amount offered for each severity is shown in the “Rewards” table above. Severity is based on the Common Vulnerability Scoring Standard (CVSS) of the vulnerability; however, the final determination of severity is performed by, and at the sole discretion of, Hilton.

Severity Scoring

We will consider numerous factors when determining the severity of a finding, including but not limited to the potential business impact of the finding, the volume of sensitive data at risk, and/or the potential financial impact that could result from the compromise of data or a system.

Disclosure Policy

You may not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hilton. You may not disclose any vulnerabilities publicly.
Hilton may require that you sign a confidentiality agreement related to any vulnerabilities you identify.
Please review HackerOne's policy for additional guidelines. (https://www.hackerone.com/disclosure-guidelines).

Program Rules and Prohibited Activities:

==You may only interact with accounts you own or with the explicit permission of the account holder, except in the case of published default credentials, in which case you may only authenticate to validate the credentials. Once authenticated, you may not interact with the account in any further manner.==
Automated web scans of Hilton websites should be limited to a maximum of 100 requests/minute for each website.
You must not collect, disclose, destroy, compromise, alter, interfere with, or transfer any proprietary or confidential Hilton data or property or data or property belonging to Hilton’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party directly or indirectly affiliated with Hilton. Actions such as storing Hilton data in public internet services such as PasteBin are strictly prohibited. You must notify Hilton immediately if you access, modify, delete, or store Hilton data.
You must not perform any actions that could affect Hilton's operations or the guest experience, such as Denial of Service (DoS) attacks or destruction of data.
You must not interact with Hilton's customers without Hilton’s express written consent.
All vulnerabilities submitted via the Hilton Bug Bounty program immediately and irrevocably become the intellectual property of Hilton. By submitting a report pursuant to the Hilton Bug Bounty program, you grant Hilton permission to make use of the information contained therein.
You must not disclose any vulnerabilities related to Hilton to parties other than Hilton or HackerOne without express authorization from Hilton.
Vulnerabilities will only be considered for triage if they are unknown to Hilton at the time of disclosure.
For findings involving the exposure of documents, the impact is determined solely by the substantive content of the affected documents regardless of the markings on the documents.
You must submit vulnerabilities to Hilton through the Bug Bounty program.
To be eligible for a reward, vulnerability reports must provide enough technical detail for the Hilton security team to reproduce the issue.
You must submit one report for each vulnerability. If you need to chain vulnerabilities to provide impact, you may submit more than one vulnerability in a single report.
Do not submit multiple findings for issues of the same CWE affecting the same service. If you have been advised that the initial finding has been resolved and you then identify another finding, you may submit that finding.
Findings related to the exposure of non-Hilton credentials from publicly available sources are considered out of scope.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
All questions about the Bug Bounty program must be submitted to [email protected].
You must comply with all applicable laws.
This program is not applicable in any jurisdiction where such conduct is not permissible.
You may not participate in the program if you are a public sector employee unless you have obtained written permission from your ethics compliance officer.
You may not participate in the program if you are a current Hilton employee or were an employee of Hilton within the last six months.
Hilton may change the rules of the Bug Bounty program at any time.

Safe Harbor

Any activities conducted in good faith and in a manner consistent with this policy will be considered authorized conduct and Hilton will not initiate legal action against the individual conducting those activities.
Hilton does not authorize any security research on other entities and will not defend, indemnify, or protect you from any third-party action.

Thank you for helping keep Hilton and our customers safe!

Introduction

Out of Scope

Booking of reservations is considered an out-of-scope activity. The following vulnerabilities also are out of scope:

All Social Media Account Takeover and Domain Takeover attacks.

Clickjacking on pages with no sensitive actions.

POST-based XSS attacks.

Open Redirect attacks.

Unauthenticated/logout/login CSRF.

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing development best practices.

Missing best practices in SSL/TLS configuration.

Conflict with industry policies and standards.

Any activity that could lead to the disruption of a Hilton service (for example, DoS attacks).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

Rate-limiting issues on endpoints that do not disclose PII or other relevant information.

Reports originating only from automated tools or scanners (e.g., Burp, nmap, etc.).

All files, regardless of labeling, are out of scope for the ir.hilton.com site.

Submission Requirements

Vulnerability reports must be submitted to HackerOne and must meet HackerOne’s requirements (https://docs.hackerone.com/programs/submit-report-form.html)

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug.

Please suggest mitigation or remediation actions, if appropriate.

Rewards

Disclosure Policy

You may not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hilton. You may not disclose any vulnerabilities publicly.

Hilton may require that you sign a confidentiality agreement related to any vulnerabilities you identify.

Please review HackerOne's policy for additional guidelines. (https://www.hackerone.com/disclosure-guidelines).

Program Rules and Prohibited Activities:

==You may only interact with accounts you own or with the explicit permission of the account holder, except in the case of published default credentials, in which case you may only authenticate to validate the credentials. Once authenticated, you may not interact with the account in any further manner.==

Automated web scans of Hilton websites should be limited to a maximum of 100 requests/minute for each website.

You must not collect, disclose, destroy, compromise, alter, interfere with, or transfer any proprietary or confidential Hilton data or property or data or property belonging to Hilton’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party directly or indirectly affiliated with Hilton. Actions such as storing Hilton data in public internet services such as PasteBin are strictly prohibited. You must notify Hilton immediately if you access, modify, delete, or store Hilton data.

You must not perform any actions that could affect Hilton's operations or the guest experience, such as Denial of Service (DoS) attacks or destruction of data.

You must not interact with Hilton's customers without Hilton’s express written consent.

All vulnerabilities submitted via the Hilton Bug Bounty program immediately and irrevocably become the intellectual property of Hilton. By submitting a report pursuant to the Hilton Bug Bounty program, you grant Hilton permission to make use of the information contained therein.

You must not disclose any vulnerabilities related to Hilton to parties other than Hilton or HackerOne without express authorization from Hilton.

Vulnerabilities will only be considered for triage if they are unknown to Hilton at the time of disclosure.

For findings involving the exposure of documents, the impact is determined solely by the substantive content of the affected documents regardless of the markings on the documents.

You must submit vulnerabilities to Hilton through the Bug Bounty program.

To be eligible for a reward, vulnerability reports must provide enough technical detail for the Hilton security team to reproduce the issue.

You must submit one report for each vulnerability. If you need to chain vulnerabilities to provide impact, you may submit more than one vulnerability in a single report.

Do not submit multiple findings for issues of the same CWE affecting the same service. If you have been advised that the initial finding has been resolved and you then identify another finding, you may submit that finding.

Findings related to the exposure of non-Hilton credentials from publicly available sources are considered out of scope.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

All questions about the Bug Bounty program must be submitted to [email protected].

You must comply with all applicable laws.

This program is not applicable in any jurisdiction where such conduct is not permissible.

You may not participate in the program if you are a public sector employee unless you have obtained written permission from your ethics compliance officer.

You may not participate in the program if you are a current Hilton employee or were an employee of Hilton within the last six months.

Hilton may change the rules of the Bug Bounty program at any time.

Safe Harbor

Any activities conducted in good faith and in a manner consistent with this policy will be considered authorized conduct and Hilton will not initiate legal action against the individual conducting those activities.

Hilton does not authorize any security research on other entities and will not defend, indemnify, or protect you from any third-party action.

Thank you for helping keep Hilton and our customers safe!