Hyatt became the first major hotel chain in the world to have a public bug bounty program with HackerOne. The platform also hosts bug bounty programs for companies including Airbnb, Nintendo, WordPress, Starbucks, Spotify, GM and more.
The idea is it have ethical white hat hackers bang on their security to expose flaws and them fixed before they’re found in the wild.
Given the sensitive data Hotels hold, customer names, addresses, phone numbers, credit cards, they will always be a big target. Hopefully the reward levels on offer here are a big enough incentive. I suspect these may need to be increased.
- Critical – $4,000
- High – $1,200
- Medium – $600
- Low – $300
So far at the time of writing, $13,300 in bounties have been paid, with the average payout being $300.
HackerOne offers cash rewards to those who report valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android apps.
If you’re interested, check out the details on the program and bounty rewards can be found at https://hackerone.com/hyatt.
Below is a Q&A with Hyatt’s Chief Information Security Officer (CISO) Benjamin Vaughn and reveals how the reward helps to protect the 750 properties in more than 55 countries of Hyatt Hotels Corporation and its affiliates.
Q: Why did Hyatt launch a bug bounty program?
A: Hyatt’s purpose – we care for people so they can be their best – guides every decision we make, and protecting the information we receive from our guests is a key part of bringing our purpose to life. Our cyber security department is consistently identifying new ways to further enhance our security and we believe a bug bounty program is a great way to look to the security research community for their expertise. The security of our guests and colleagues is our top priority, and Hyatt will continue to do everything we can to protect their information.
Q: Is this Hyatt’s first bug bounty program? If not, what were the results of the private program?
A: Following the recommendations of HackerOne, Hyatt ran an invitation-only version of the program for some time. We were very pleased with the results of the private program and this helped inform our decision to launch the program publicly.
Q: What Hyatt channels are available for hackers to test?
A: Hyatt.com, world.hyatt.com, Hyatt mobile app (iOS and Android versions), and m.hyatt.com are available for testing. Full scope and guidance is available on our program page: https://hackerone.com/hyatt.
Q: Why did Hyatt choose HackerOne to manage its program? Did the Hyatt security team evaluate other vendors?
A: Hyatt conducted a review of the bug bounty marketplace and also evaluated the merits of operating our own program. Based on the results of that review, we selected HackerOne, and we look forward to working with the HackerOne community. We chose HackerOne specifically because of their robust platform, integration possibilities and clear rating system for vulnerabilities.
Q: Anything to say directly to the hacker community?
A: We thank the participants of our private program for their assistance and ask any new participants to stay in touch with us as they perform their research. Our best advice for the hacker community is to dive deep and discover interesting vulnerabilities. We are impressed when we receive creative vulnerabilities. We will be there to help!