Vueling Vulnerability Disclosure Program

Introduction

Vueling looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

This disclosure program is limited to security vulnerabilities in systems owned by Vueling. This program does not provide monetary rewards for bug submissions.

Program Highlights

Open Scope — Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure — Standard coordinated vulnerability disclosure process.

Top Response Efficiency — This program's response efficiency is above 90%.

Response Targets

Vueling & HackerOne will make a best effort to meet the following SLAs for hackers participating in our program:

• First Response: 2 days
• Time to Triage: 10 days
• Time to Resolution: Depends on severity and complexity

Test Plan

• Include the following HTTP header in any outgoing HTTP requests: X-H1-traffic: <username>
• Use your @wearehackerone.com email alias to register for accounts.
• Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

Rules of Engagement

By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.

Program Rules

• Vulnerabilities may only be reported via the HackerOne platform and may only be sent to us. The submission of vulnerabilities via other channels is not permitted and will not be recognized within this program.
• Employees, service providers, and individuals in a working relationship with Vueling or any of its subsidiaries are excluded from the program. All other security researchers who wish to help us improve the security of our systems are welcome to take part in the program.
• Do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Vueling. Vueling policy overrides HackerOne Vulnerability Disclosure Guidelines and as such disclosure is not permitted on this program.
• Please provide detailed technical reports with reproducible steps. Include screenshots, proof-of-concept URLs. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• When submitting a report, you acknowledge you are subject to HackerOne's Disclosure Guidelines (as modified by this Program Policy regarding disclosure timelines and rules), the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions.
• Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• Avoid intentionally accessing the content of any Vueling data in transit or data at rest, except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
• Do not perform testing activities against any accounts that you do not own.
• Do not conduct physical attacks on branch offices or computing centres.
• Do not exfiltrate any data under any circumstances.
• Do not compromise the privacy or safety of Vueling personnel or any third parties.
• Do not intentionally compromise the intellectual property or commercial interests of any Vueling personnel or entities, or any third parties.
• Do not conduct denial of service (DoS) testing.
• Do not submit a high-volume of low-quality reports.
• If at any point you are uncertain whether to continue testing, please engage with our team.

How to Submit a Report

Please provide a detailed summary of the vulnerability, including:

• Type of issue
• Product, version, and configuration of software or asset containing the bug
• Step-by-step instructions to reproduce the issue (Proof-Of-Concept)
• Impact of the issue
• Suggested mitigation or remediation actions, as appropriate

By clicking "Submit Report," you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to digital products and information systems, and consent to having the contents of the communication and follow-up communications stored. Submissions that require manipulation of data, network access, or physical attack against Vueling offices or data centres and/or social engineering of our service desk, employees, or contractors will not be accepted. Submissions that result in the alteration or theft of Vueling data or interruption or degradation of Vueling systems will not be accepted.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions that does not result in material consequence to the company.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions that does not affect the integrity of IAG customer or staff accounts.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration that are not directly exploitable.
• Any activity that could lead to the disruption of our services (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Rate limiting or brute-force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version).
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors) that are not directly exploitable.
• Tabnabbing or other attack vectors relying on unusual user interaction.
• Open redirect - unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.
• Vulnerabilities associated with aircraft and on-board systems.

Gold Standard Safe Harbor

Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. "Good Faith Security Research" is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service ("TOS") and/or Acceptable Use Policies ("AUP") that conflicts with the standard for Good Faith Security Research outlined here.

This means that, for activity conducted while this program is active, we:

• Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
• Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy. Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.

Thank you for helping keep Vueling and our users safe!