Marriott Bug Bounty Program
External Program
Submit bugs directly to this organization
Marriott Bug Bounty Program
External Program
Submit bugs directly to this organization
#Welcome to the Marriott Bug Bounty Program !
Marriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.
#Program Terms
This Policy governs your participation in Marriott’s Bug Bounty Program and supersedes any conflicting HackerOne terms. By submitting a vulnerability report through HackerOne, you agree to this Policy.
Researchers must:
• Follow HackerOne’s Gold Standard Safe Harbor pledge and Community Code of Conduct ; • Act within the defined rules published on HackerOne; and • Act within the defined scope published in the Program.
Marriott supports good-faith security research and will honor Safe Harbor protections when rules are followed.
#Scope
Please review the Scopes tab to confirm which assets are in-scope and which are out-of-scope for the Marriott Bug Bounty Program. Any asset not listed in-scope is ineligible for bounty and will be marked N/A.
#Out-of-Scope Submissions
• "Zero Days" Security flaws that have released an official patch in the last 31 business days • Web Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection • Content spoofing, iframes, open redirects, CLRF or text injection without persistent modification or require user interaction • Leaked tokens, IDs, or cookies without proof of account takeover (ATO) • Non-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing) • Intentional service disruption (e.g., DoS) • MITM attacks requiring access to the physical network or physical location like a hotel or office. • Leaked credentials from data stealing malware logs or 3rd party threat intelligence or from purchase cred buy packs.
#Submission Requirements To qualify for a bounty, you first need to meet all the following requirements: • Agree and adhere to the requirements and conditions outlined in the Program Terms, Scope, Confidentiality and Disclosure, and Legal Sections within this policy; • Store supporting evidence only within the Submission (i.e., you are prohibited from hosting files on your own device or on external hosting services); • Provide a detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: [email protected]); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc); • Provide proof of the vulnerability (i.e. through screenshots, screen captures, etc); • Suggest mitigation or remediation actions; and • Provide your IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.
Failure to adhere to the above minimum guidelines may result in a #reduced reward.
#Rewards
Rewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward.
Recipients of rewards are responsible for the payment of all applicable taxes.
#Response Times
Marriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities.
Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:
| Marriott Response | Estimated Response Time |
|---|---|
| First Response | 2 days |
| Time to Triage | 5 days |
| Time to Bounty | 20 days |
| Time to Resolution | Depends on severity and complexity |
#Confidentiality and Disclosure
Researchers must immediately stop all activity and notify Marriott, through HackerOne, if Researchers:
• Access any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts;
Unless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott.
#Legal
Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list. Marriott reserves the right to update or terminate the Program at any time; changes are effective upon posting. Please review the Program page regularly for updates. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.
Thank you for helping protect Marriott’s systems, data and customers.