Trip.com
External Program
Submit bugs directly to this organization
Trip.com
Trip.com Group looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. ==** Before submitting a vulnerability report, please read our policy first**==
Trip.com Group will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
| Application Level | Application Description |
|---|---|
| High priority | https://.trip.com Main page entry related business (can switch to multiple languages) |
| Low priority | Except for High priority applications, *. trip.com domain related applications |
| Low priority | *.trainpal.com && *.mytrainpal.com |
| Application Level | Application Description |
|---|---|
| Low priority | *.travix.com |
| Low priority | *.travix.io |
| Low priority | *.cheaptickets.nl |
| Our business attracts customers from two main sources: |
Then when a customer lands on our website via a partner or direct, they go to one of our 50 websites, however, focus on this website: https://www.cheaptickets.nl/ .
During that flow, the FE (https://www.cheaptickets.nl) will call multiple Public Backend APIs under .traivx.com, Those Public Backend APIs will call another Internal Backend APIs under (.traivx.com and *.traivx.io) and finally return the results to the FE.
Given the above information, we are interested to find out how deeply you can investigate our system to find sensitive vulnerabilities which can lead to gaining access inside the system, leaking customer data (PII) or committing fraud.
Our maximum bounty is $5,500 USD The following table lists typical reward ranges by severity, and the actual rewards may fluctuate based on the average value, depending on the actual application scenario of the vulnerability and the level of detail in your report.
| Vulnerability Type | Vulnerability Description | Average Bounty for high-priority asset | Average Bounty for lower-priority asset |
|---|---|---|---|
| Remote Code Execution (RCE) | Access to system privileges directly,Including but not limited to command execution, code execution, Webshell, etc. | $5500 | $1500 |
| SQL Injection | SQL injection vulnerability, which can obtain sensitive database information | $2500 | $1000 |
| Sensitive Data Exposure | Leakage of a large amount of user plaintext sensitive information, including but not limited to: mobile phone number, bank card information, ID card information, order information, email, address, etc. | $2000 | $800 |
| Server Side Request Forgery (SSRF) | An SSRF vulnerability that can access trip's intranet and has echo content | $1500 | $500 |
| Authorization Flaw | Serious unauthorized sensitive operations, including but not limited to unauthorized modification of important information on accounts, ordinary operations on orders, and modification of important business configurations. | $1000 | $300 |
| Logic flaw | logical design flaws and process flaws | $500 | $200 |
| Local file read | Vulnerability to read arbitrary system files, which can read important sensitive files. | $500 | $200 |
| Stored Cross Site Scripting | Only Store xss, not reflective/dom xss. For the storage xss problem of multiple pages caused by the same data, it can only be considered as one. | $200 | $50 |
==** We do not charge the following low-risk vulnerabilities here as they will not receive effective rewards, but you can submit such vulnerabilities through Trip SRC( https://src.trip.com ): **==
Thank you for helping keep Trip.com Group and our users safe!