Details

Kiwi.com is committed to working with security experts worldwide in cooperation with HackerOne’s Triage team to ensure the high quality of our bug bounty program and the security of our customers.

If you’re good enough to spot a vulnerability on our site, we’d love to know about it!

We value the work and time of independent security researchers and therefore aim to:

Reply to all submissions within two business days (either Kiwi.com or Hackerone Triage)
Post regular updates to all submissions on a weekly basis
Determine security impacts transparently
Pay bounty on triage
Resolve vulnerabilities within one week to minimize the likelihood of a duplicate report

Everything related to Kiwi.com is in scope, with primary services outlined in the structured scope section. If you have any questions, reach out to us at [email protected].

Rules of engagement

Confine scans on a single hostname to a 500ms delay (in other words, 2 requests per second).
Under any circumstances, don’t engage in:
- Physical attacks targeting any Kiwi.com property
- Social engineering of Kiwi.com employees or contractors
- DoS/DDoS or other availability attacks
Do not compromise any customer accounts or data.
Do not discuss or post details of your vulnerability outside of the HackerOne platform before it has been approved for disclosure.
Issues introduced by vulnerable third-party software are subject to a ten-day grace period to provide enough time for internal remediation and testing (for example, publicly disclosed 0days).
Current employees and former employees who have left the company within the past year are prohibited from participating in our bug bounty program. Employees who departed more than one year ago are eligible to participate.

Account & Booking

Use your <username>@wearehackerone.com email for any registrations or logins.

If you want to book a flight and test any post-booking systems, you can pay for a booking with a test credit card. To create a test booking, use the following information:

Start the flow with adding &sandbox=true as a query param to URL
Create the following cookie: sandbox_payment=true
On the main Booking page, in the Primary passenger tab:
- First Name: TEST
- Last Name: TEST
On the Payment page:
- Test card number: 4111 1111 1111 1111
- Expiry date (MM/YY): 12/42
- Security code: 123
- Cardholder's name: TEST APPROVE
The system treats test bookings as complete, but it will not book any real flights.

Out of scope vulnerabilities & exclusions

Issues that we know about and would like to fix at some point or which we don't plan on fixing, e.g., because we know it's not feasible:

User/email enumeration
A small number of Kiwi.com email addresses leak via JavaScript files
Invalid or missing SPF/DKIM/DMARC records
Lack of 'Secure' and 'HttpOnly' cookie flags
Theoretical TLS/SSL issues
Read access to our public Firebase instances
- skypicker-984.firebaseio.com
- kiwi-debug.firebaseio.com
Hard-coded API keys (for example, Google Maps, Mapbox, ...), unless there is a different impact than additional costs
Leaked credentials of tequila partners in 3rd party services (such as GitHub)
Attacks requiring MITM or physical access to a user's device
Lack of "best practices" that do not impose a vulnerability that can be leveraged
PII leaks between the members of a single tequila company
Authorization bypasses in tequila within a single tequila company might be exempt from bounties, depending on the vulnerability
XSS / HTML Injection in Swagger UI
Credentials and other sensitive leaks aggregated in third-party sites (e.g., otx.alienvault) without demonstrating that a vulnerability on our end caused the breach.

Safe harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Your participation in our bug bounty program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agree to follow the rules set forth on this page. Kiwi.com reserves the right to modify or terminate this program at any time.

Rules of engagement

Confine scans on a single hostname to a 500ms delay (in other words, 2 requests per second).

Under any circumstances, don’t engage in:

Physical attacks targeting any Kiwi.com property
Social engineering of Kiwi.com employees or contractors
DoS/DDoS or other availability attacks

Do not compromise any customer accounts or data.

Do not discuss or post details of your vulnerability outside of the HackerOne platform before it has been approved for disclosure.

Issues introduced by vulnerable third-party software are subject to a ten-day grace period to provide enough time for internal remediation and testing (for example, publicly disclosed 0days).

Current employees and former employees who have left the company within the past year are prohibited from participating in our bug bounty program. Employees who departed more than one year ago are eligible to participate.

Account & Booking

Use your <username>@wearehackerone.com email for any registrations or logins.

If you want to book a flight and test any post-booking systems, you can pay for a booking with a test credit card. To create a test booking, use the following information:

Start the flow with adding &sandbox=true as a query param to URL

Create the following cookie: sandbox_payment=true

On the main Booking page, in the Primary passenger tab:

First Name: TEST
Last Name: TEST

On the Payment page:

Test card number: 4111 1111 1111 1111
Expiry date (MM/YY): 12/42
Security code: 123
Cardholder's name: TEST APPROVE

The system treats test bookings as complete, but it will not book any real flights.

Out of scope vulnerabilities & exclusions

Issues that we know about and would like to fix at some point or which we don't plan on fixing, e.g., because we know it's not feasible:

User/email enumeration

A small number of Kiwi.com email addresses leak via JavaScript files

Invalid or missing SPF/DKIM/DMARC records

Lack of 'Secure' and 'HttpOnly' cookie flags

Theoretical TLS/SSL issues

Read access to our public Firebase instances

skypicker-984.firebaseio.com
kiwi-debug.firebaseio.com

Hard-coded API keys (for example, Google Maps, Mapbox, ...), unless there is a different impact than additional costs

Leaked credentials of tequila partners in 3rd party services (such as GitHub)

Attacks requiring MITM or physical access to a user's device

Lack of "best practices" that do not impose a vulnerability that can be leveraged

PII leaks between the members of a single tequila company

Authorization bypasses in tequila within a single tequila company might be exempt from bounties, depending on the vulnerability

XSS / HTML Injection in Swagger UI

Credentials and other sensitive leaks aggregated in third-party sites (e.g., otx.alienvault) without demonstrating that a vulnerability on our end caused the breach.

Safe harbor