Hyatt Hotels

Keeping Guests Safe

Hyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!

In-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.

By participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below. We look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

SLA

Hyatt will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 1 business day
• Time to triage (from report submit) - 1 business day
• Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation

*Critical = 30 days *High = 60 days *Medium = 90 days *Low = N/A

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.
• Follow HackerOne's disclosure guidelines.

Program Rules and Bounty Eligibility

• Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.
• Do not destroy or alter discovered data.
• Do not inappropriately store Hyatt information in public locations i.e., GitHub.
• Do not intentionally harm other guests as well as their experience.
• Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.
• Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.
• Current Hyatt colleagues and contractors cannot participate in this program.
• You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.
• Only submit vulnerability reports through the HackerOne platform.
• A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Limit automation/rate scraping to 100 requests per minute.
• Cancel all reservations created by test accounts.
• Researchers are prohibited from using, completing, or staying on any booking obtained through an exploit, including bookings that result in free, discounted, or otherwise unauthorized stays.

Submission Requirements

• All vulnerability reports must be filed through the HackerOne platform.
• Vulnerability reports must meet all of HackerOne’s requirements.
• https://docs.hackerone.com/programs/submit-report-form.html

Testing Requirements - Hyatt Hotels

Test Accounts

Create World of Hyatt test accounts to these specifications:

• First name: (for multiple accounts - one, two, etc.).
• Last name: "Test".

Reservation Requirements

If you must create bookings for testing purposes, follow these rules:

• Test bookings should be made a minimum of four months into the future.
• All test bookings should be canceled as soon as possible.
• Do not book New York City or Chicago properties for testing purposes.
• If possible, add "HackerOne" to the comments section in bookings.

Testing Requirements – ALG Properties

Review this document for all testing requirements: • Please review the F2216536

Fraud and Privacy Testing - Hyatt Assets Only

We created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, you cannot keep any points stolen. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!?

Target these World of Hyatt accounts for fraud and privacy-related tests:

• 540795125Y
• 535322656B
• 540941865E

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.

Hyatt Hotels In Scope Assets

• hyatt.com (no additional subdomains unless explicitly mentioned).
• 140.95.0.0/16.
• 213.139.133.32/28.
• assets.hyatt.com.
• confluence.hyattdev.com.
• ebsext.oft.hyatt.com.
• jira.hyattdev.com.
• meetings.hyatt.com.
• mobileapp.hyatt.com.
• newsroom.images.hyatt.com (not newsroom.hyatt.com).
• plannerrequest.hyatt.com.
• public.hyatt.com.
• roominglist.hyatt.com.
• salesportal.hyatt.com.
• soaext.oft.hyatt.com.
• sso.oft.hyatt.com.
• upsell.hyatt.com.
• world.hyatt.com.
• www.hyatt.com.
• www.hyattconnect.com.
• Hyatt Hotels Mobile Application (Android & iOS).

##ALG In Scope Assets No additional subdomains unless explicitly mentioned.

• booking.cheapcaribbean.com
• book.cheapcaribbean.com
• res.treasureisland.globalbookingsolutions.com
• res.vacations.buschgardens.com
• res.vacations.sesameplace.com
• vacations.travelimpressions.com
• www.blueskytours.com
• www.cheapcaribbean.com
• www.triseptsolutions.com
• blueskytours.globalbookingsolutions.com
• book.beachbound.com
• res.funjet.com
• res.secretsresorts.com
• res.skyteam.com
• res.vacations.discoverycove.com
• res.vacations.seaworld.com
• vacations.universalstudioshollywood.com
• www.funjet.com
• www.universalorlandovacations.com
• www.wynnvacations.com
• www.beachbound.com
• booking.beachbound.com
• book.applevacations.com
• book.booktandl.com
• login.www.vaxvacationaccess.com
• new.www.vaxvacationaccess.com
• res.blueskytours.globalbookingsolutions.com
• res.southwestvacations.com
• res.universalorlandovacations.com
• res.vacations.united.com
• res.vacations.universalstudioshollywood.com
• reservations.wynnvacations.com
• rezagent.triseptsolutions.com
• shop.wyndhamvacationownership.trisept.travel
• www.triseptapi.com
• www.triseptdemo.com
• vacations.united.com
• www.applevacations.com
• 199.66.248.0/22
• res.hyattinclusivecollection.com
• www.hyattinclusivecollection.com
• booking.applevacations.com

Vulnerabilities

• Access to another guest’s reservation or account.
• Application bugs that result in unintended room rate changes.
• Authentication bypass.
• Back-end system access via front-end systems.
• Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).
• Bypassing account recovery systems at scale.
• Container escape.
• Discovery of Hyatt data on Hyatt-managed public cloud storage services.
• Elevating membership tier.
• Gaining or using World of Hyatt points inappropriately.
• Highly creative means of automating account checking or rate scraping (e.g., botting).
• Highly creative means of discovering origin IP.
• Highly creative means of spoofing email messages.
• Online name changes on an account or award reservation.
• Publicly available cloud systems that may host Hyatt information.
• SQL Injection.
• Cross-Site Request Forgery.
• Exploitable Cross-Site Scripting.
• WAF bypass.
• Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).
  • A combination of multiple data elements can increase the severity.

Out of Scope

Assets

• Any other Hyatt/ALG assets not specifically listed as in-scope.
• Any communication with Hyatt or ALG colleagues.
• Attacks against any account other than the specified target accounts.
• Data breaches or credential dumps.
• Hotel properties and their physical and networks infrastructure.
• Hyatt corporate information systems.
• Third-party companies that perform business transactions for Hyatt employees and contractors.
• Using stolen points for personal use.
• Exploitation of our membership partners:
  • American Airlines AAdvantage®
  • FIND experiences
  • Lindblad Expeditions
  • M life Rewards destinations
  • Small Luxury Hotels of the World properties
  • UrCove properties
  • Any other organization associated with the World of Hyatt

Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Any activity that could lead to the disruption of our service (DoS).
• Attacks requiring MITM or physical access to a user's device.
• Attacks requiring physical access to a user’s device.
• Attacks requiring physical access to a Hyatt employee, contractor or guest device.
• Autocomplete on web forms.
• Clickjacking on pages with no sensitive actions.
• Clickjacking, unless an effective exploit can be demonstrated.
• Client browser vulnerabilities.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Data entry-based room rate errors.
• Denial of inventory.
• Denial of Service attacks on Hyatt infrastructure.
• Limited content reflection or content spoofing.
• Missing best practices
  • This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.
• Password and account recovery policies.
• Password policies, i.e., complexity.
• Phishing or spear phishing attacks.
• POST-Based reports requiring a victim to request files hosted on out-of-scope assets.
• Previously known vulnerable libraries without a working Proof of Concept.
• Rate-limiting issues on endpoints that do not disclose PII or other relevant information.
• Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).
• Self-exploitation.
• Social engineering attacks.
• Software version disclosure.
• SSL / TLS best practices.
• Unauthenticated/logout/login CSRF.
• Vulnerabilities that cannot be reproduced.
• Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.
• Zero-day vulnerabilities and exploits in vendor software.

SQL Injection Policy

• Do not alter any data.
• Do not change or interrupt server or database functionality.
• Do not destroy any data.
• Do not read or save sensitive data belonging to guests other than yourself.
• Blindly counting rows and columns of databases is permissible.
• Generating outbound DNS requests is permissible.
• Listing database names and columns is permissible.
• Logic responses are permissible.

XSS Policy

• Stored XSS is classified as Medium-severity.
• Reflected XSS is classified as Low-severity.
• XSS on IE only is classified as Informational.
• POST-Based XSS is classified as Not Applicable.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep Hyatt and our guests safe! The term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.