Hotel chain Hyatt sets up bug bounty program

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps.

Chief information security officer Benjamin Vaughn said the aim of setting up the bug bounty program was to further the hotel's goal of keeping its guests safe.

"As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

Depending on the severity of the vulnerabilties found, researchers can earn between US$300 for finding low-risk bugs up to US$4000 for flaws rated as critical according to the Common Vulnerability Scoring System (CVSS) security industry standard.

Some of the vulnerabilties Hyatt will reward researchers for include bypassing Web Application Firewalls (WAFs), finding hotel data on cloud storage services, cross-site request forgery (CSRF) on its sites, business logic bypasses, back-end system access via front-end systems and getting around authentication.

Hyatt's main websites and the hotel chain's Android and Apple iOS mobile apps are deemed to be in scope for vulnerability research, but not its accommodation properties or physical and network infrastructure.

Researchers wishing to take part in the bug bounty program must agree to responsible disclosure rules, and not collect personally identifiable information, authentication data or credit card details from hotel guests.

Hyatt also asks that researchers make a good faith effort to avoid privacy violations, destruction or alteration of data as well as interruption or degradation of the hotel's services.

Hotels have become targets for information stealing attacks over the last few years.

The Hyatt bug bounty follows the global hotel chain being hacked twice in recent times, with credit card data taken.

Rival hotelier Marriott this week reported that the recently-revealed hack of its Starwood reservations system exposed 5.25 million unencrypted passport numbers. 

Initially, Marriott reported that up to half a billion Starwood Hotels guests were impacted by the breach, but now believe less than 383 million are affected.