The LATAM Airlines Program Policy (the “Policy”) covers the Terms and Conditions (“Terms”) of your participation in the LATAM Airlines Vulnerability Program (the “Program”) as a “Finder.” These Terms are between you and LATAM Airlines. By submitting Vulnerability Reports or otherwise participating in the Program, you accept these Terms.

Your participation in the Program is further governed by the provisions of the HackerOne Finder Terms and Conditions (https://www.hackerone.com/terms/finder) and HackerOne Vulnerability Disclosure Guidelines (https://www.hackerone.com/disclosure-guidelines), except for those provisions which differ from the Terms set forth in this Policy. When there is a stated difference between the Policy and the HackerOne Finder Terms and Conditions and/or the HackerOne Vulnerability Disclosure Guidelines, the Policy will govern.

LATAM Airlines looks forward to working with the security community to find vulnerabilities in order to keep our business and customers safe.

##I. Program Terms

Program Overview
Safe Harbor
Program Eligibility
Program Rules
Disclosure Policy
Changes to the Terms
Independent Parties/ Transaction
Limitation of Liability

##II. Testing & Submission Process

Response Times
Test Instructions
Scope Exclusions

##III. FAQ's

I. Program

1. Program Overview The Program enables Finders to submit reports on vulnerabilities and exploitation techniques to LATAM Airlines about live websites, networks, products and services owned, operated, and/or deployed by LATAM Airlines.

Finders, also known as “hackers,” include anyone who has investigated a potential security issue in some form of technology, including academic security researchers, software engineers, system administrators, and casual technologists.

** 2. Safe Harbor** Activities conducted in a manner consistent with this Policy will be considered “authorized conduct,” and we will not initiate legal action against you; provided, however, grossly negligent activities and willful misconduct shall not be considered authorized conduct.

If legal action is initiated by a third party against you in connection with authorized conduct, we will make it known that your actions were conducted pursuant to the Program. LATAM Airlines reserves all legal rights in the event of noncompliance with this Policy.

3. Program Eligibility You are eligible to participate in the Program if you meet all of the following criteria:

You agree and adhere to the Terms as stated in this Policy.
You are either an individual participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this Program.

You are not eligible to participate in the Program if you meet any of the following criteria:

Your organization does not allow you to participate in these types of programs.
You are currently an employee of LATAM Airlines or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.
Within six months prior to providing a report, you were an employee of LATAM Airlines.
You currently (or within six months prior to providing a report) perform services for LATAM Airlines in an external staff capacity, such as on behalf of a LATAM Airlines or subsidiary contractor, vendor, or partner.
You are or were involved in any part of the development, administration, and/or execution of this Program.
Your participation in this Program violates the laws of any jurisdiction, including the jurisdiction where you live and/or work and/or or jurisdictions where LATAM Airlines operates.

Vulnerability Reports are eligible for submission if the following criteria is met:

You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and triaged.
You are available to supply additional information, as needed by our team, to reproduce and triage the issue.
Publicly-known zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
Out-of-scope Vulnerability Reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.

4. Program Rules Do:

Read and abide by the Program Policy.
Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.
Exercise caution when testing to avoid negative impacts to LATAM Airlines, LATAM Airlines systems, networks, data, services, and information technology infrastructure, and/or LATAM Airlines employees, staff, contractors, vendors, and customers of such entities.
STOP testing if you are unsure about the impact it may have on our systems and/or data. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

Do NOT:

Do not brute force credentials or guess credentials to gain access to systems.
Do not participate in denial of service attacks.
Do not upload shells or create a backdoor of any kind.
Do not engage in any form of social engineering of LATAM Airlines employees, customers, contractors, or vendors.
Do not engage or target any LATAM Airlines employee, customer, contractor, or vendor during your testing.
Do not attempt to access, view, extract, download, or otherwise exfiltrate data that you believe may contain personally identifiable information or other sensitive data, including LATAM Airlines’ business information.
Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder. Do not share copyrighted material without authorization.
Do not engage in activity that is false or misleading.
Do not engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses).

5. Disclosure Policy You may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside of the Program without express consent from LATAM Airlines. If you are interested in sharing any information about your testing methodology related to a LATAM Airlines report, you must request permission on your report, and you must receive written approval from a LATAM Airlines team member.

6. Changes to the Terms LATAM Airlines reserves the right to modify the Terms of this Program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can subscribe to receive email notifications when this policy is updated.

7. Independent Parties/Transaction You are not an employee, contractor, or agent of LATAM Airlines, but are an independent third party who has voluntarily chosen to participate in the Program. Nothing in the Terms is intended to render LATAM Airlines and you as joint venturers, partners, or employer and employee. Under no circumstances shall LATAM Airlines be considered your employer, nor shall you have any rights as an employee of LATAM Airlines.

You are not entitled to reward, compensation, public recognition, or reimbursement in connection with your participation in the Program.

8. Limitation of Liability

Neither LATAM Airlines, nor any LATAM Airlines director, officer, employee, counsel, advisor, contractor, vendor, or affiliate shall be liable for any breach of these Terms. You cannot recover any damages or losses from LATAM Airlines, nor any LATAM Airlines director, officer, employee, counsel, advisor, contractor, vendor, or affiliate in connection with this Program.

II. Submission Process

1. Response Times

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Resolution	depends on severity and complexity

2. Test Instructions

We strongly recommend you use a user agent header in your HTTP(S) requests, and for non-HTTP requests we strongly recommend you add an identification to artifacts in POCs, and, or payloads so our teams can identify you as a verified hacker and not a malicious attacker: h1:<vdp-hackeroneusername>.
No credentials are required or provided for this Program. If you self-register for any accounts, please register with your @wearehackerone.com email address. You may not use exposed credentials to continue testing without explicit approval of LATAM Airlines.

3. Scope Exclusions

LATAM Airlines reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance*
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests.
Bruteforce oracle attacks against unauthenticated endpoints
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
Tabnabbing
Issues that require unlikely user interaction by the victim
The sites "link.lanchile.cl", "www5.lanchile.cl", "pilotos.lanchile.cl", "gov.lanchile.cl", "logistica.lanchile.cl", correspond to a third party service and these records only correspond to a DNS redirection on the LATAM side, therefore, we cannot offer resolution times. Likewise in case of receiving these cases will be accepted and closed as informative, the report will be delivered to the third party so that it can analyze and resolve it.
XSS issues against http://mycargomanager.appslatam.com; because this application will be deactivated and there are no resources for the resolution

III. FAQ's

Can I get LATAM Airlines swag? LATAM Airlines does not currently offer swag
Can LATAM Airlines provide me with a pre-configured test account? This program does not provide credentials or any special access
What is required when submitting a report?
How do I make my report great?
I submitted a report. Now what? I have questions.
What causes a report to be closed as Informative, Duplicate, N/A, or Spam?
What is an example of an accepted vulnerability? Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this Program’s specific scope. The report must also meet any submission criteria outlined in the Policy, such as test plan instructions and a working proof of concept.

Thank you for helping keep LATAM Airlines and our users safe!

LATAM Airlines looks forward to working with the security community to find vulnerabilities in order to keep our business and customers safe.

LATAM Airlines

LATAM Airlines

Details

Table of Contents

II. Submission Process

III. FAQ's

Table of Contents

II. Submission Process

III. FAQ's