Welcome to Priceline's Bug Bounty Program

Priceline is committed to collaborating with security experts across the globe to stay up-to-date with the latest security developments. If you have discovered a security issue that you believe requires our attention, please submit a report, and our team will make every effort to resolve the vulnerability. We look forward to working with you.

---

Announcement

• Priceline has a brand new AI assistant called Penny, who is there to help our customers with their travel-related bookings. You can find Penny on https://www.priceline.com/penny, and on many other pages (located at the bottom-right corner) where the bot performs page-specific functions. Help us test it out, we're happy to accept any vulnerability found within our Policy Guidelines for Penny.
• Any security issues that could be escalated or exploited due to missing security flags for sessions or cookies are already known to us, as we are addressing them internally. As a result, you might see a change in the severity of such reported issues or find them listed as known issues (Informative).
• *.priceline.com is in scope. However, the decision of the program to reward any reported asset under it will be dependent on the impact of the reported issue and the purpose of the reported asset.
• Presence of X-Bug-Bounty:your-HackerOne-username header in your request is must to avoid possible blocking since priceline has WAF and necessary security measures in place.

---

Rules of Engagement

Program Rules

While we want our hackers to perform at their best, we also want to ensure that there is minimal disruption to our business. On that note, please observe the following:

• Submit only one vulnerability per report, unless multiple vulnerabilities need to be chained together to highlight the overall impact.
• The severity of the issue will be determined based on its final impact and will be evaluated and adjusted by the Priceline team as needed.
• Public disclosure of submitted report(s) is strictly not allowed.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. You must adhere to HackerOne's Disclosure Guidelines.
• We cannot reward or do business with any individual on any U.S sanction lists or any individual residing in any country on any U.S. sanctions lists. This includes residents of Russia, Cuba, Sudan, North Korea, Iran or Syria.
• Severity level is based on the CVSS scoring model; exceptions are granted at the sole discretion of the Priceline security team. Here is some more information on the CVSS scoring system.
• Subdomain takeover reports for out-of-scope Priceline assets will be accepted. However, the bounty reward might differ from the bounty table, as this is at our discretion. Third-party assets will not be eligible for bounty, although we may award a bonus at our discretion.

Testing Rules

• Do not attempt to access private customer information. If you have accessed such information to support a finding, please do not misuse it. Instead, report it so we can address the issue.
• Never attempt to view, modify, or damage information that belongs to other customers. If you need to test a vulnerability that involves accessing / modifying data of other users, create two accounts on Priceline.
• Do not attempt to affect our availability (Denial of Service, spam).
• Do not attempt to affect a product's (hotel, flight, rental car) availability by making unintended reservations and blocking the inventory for valid customers.
• Please avoid making multiple reservations. If you submit a reservation, please make sure you cancel it.
• Do not send reports exported from automated scanners. If it's a real bug, provide a detailed working PoC.

To help us identify you:

• Please use a custom HTTP header and mention that in your report. For example, a header that includes your username: X-Bug-Bounty:your-HackerOne-username. If the custom header is not used, your report may not be considered.
• Please use your HackerOne Email Alias (e.g., [email protected]) when making an account or a reservation on Priceline.
• Please provide your IP address in the bug report.

---

Guidelines for Penny

Acceptable Findings:

1. Business logic bypass flaws. Examples (listing a few):

• Ability to view or modify bookings of other customers using Penny
• Authentication bypass
• Pricing manipulation
• Bypassing critical service restrictions

2. Access to Personally Identifiable Information (PII) of other customers
3. Prompt Injection, specifically those leading to the disclosure of sensitive internal information (such as proprietary data, backend raw source code, API keys, credentials, etc.)
4. Security issues that affect our infrastructure or can compromise our systems. Examples (listing a few):

• Code Execution
• Server Side Request Forgery (SSRF)
• Injections leading to data exfiltration or unauthorized data modification
• Cross-Site Scripting (XSS)

5. Data Poisoning (that is, modifying Penny's training data or input in such a way that corrupts its responses or functionality)
6. Safety Violations (issues where Penny generates harmful, inappropriate, or misleading responses). These will be reviewed on a case-by-case basis and will only be rewarded if the vulnerability is novel, significant, and can be exploited in a meaningful way. The default risk rating for issues from this category will be low.

Important Note

1. All valid submissions must include detailed steps to reproduce the issue, accompanied by screenshots or videos, as well as the user prompts that were used to identify the issue.
2. Denial of Service (DoS) attempts that disrupt the chatbot service and make it inaccessible to others, is strictly forbidden. Any hackers attempting this will be banned from the program and will not be entitled to any bounties, regardless of the findings.

Known Issues about Penny

1. It is possible to jailbreak Penny and get the bot to respond to non-travel related queries, often involving controversial or malicious topics.
2. Penny discloses system prompts / instructions / guidelines.
3. Penny discusses competitors.

---

Response Targets

Priceline will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 2 business days
• Time to bounty (from triage) - 1 business days (Max 2 weeks)
• Time to resolution - 30 days

All times indicated are in business days.

---

Non-Qualifying Vulnerabilities and Exclusions

• Issues that are already known to the Priceline team will not be eligible for bounty.
• Denial of Service (DOS), Distributed Denial of Service (DDOS), or other availability attacks.
• Rate-limiting issues.
• Session token in URL. We know about the session token in the URL in some legacy portions of the site.
• Any resolved report that has been accidentally closed as resolved will not be eligible for a bounty if resubmitted by the same / different researcher.
• Self XSS.
• Web Browser XSS Protection not enabled.
• Similar weaknesses/reports will not be paid out as separate bounties. For example, XSS in multiple parameters on the same endpoint.
• Technology Name & Version disclosure.
• Loading mixed content.
• Missing HTTP security headers.
• Missing cookie flags on non-sensitive cookies.
• Weak Password Policy.
• Clickjacking.
• Physical attacks against any Priceline office or data center.
• Social engineering (for example, phishing or phone calls targeting Priceline employees, contractors, or agents); leaked credentials in third-party software breaches.
• Email notification for user profile changes.
• Content Spoofing due to error pages or text injection.
• Information disclosure through Referer header (e.g., Reset password token).
• Vulnerable version of libraries (for example 'jquery') unless they can be demonstrated to be exploitable by an attacker.
• Email/user enumeration.
• Reports containing offer number disclosure will not be taken into consideration.
• Google Maps API Key Leakage.
• Publicly accessible xmlrpc.php files.
• Browsable files that do not contain confidential data such as yarn.lock, package.json, client.js, or similar files.
• Reiterating - please don't send us vulnerability scanner reports. If it's a real bug, you must provide steps to reproduce and/or a proof of concept.

Note: If you submit a report from the above category, your report will be closed as informative and will not be eligible for a bounty.

---

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.