Hotel chain Hyatt sets up bug bounty program

By on
Hotel chain Hyatt sets up bug bounty program

Critical vulnerability finds pay US$4000.

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps.

Chief information security officer Benjamin Vaughn said the aim of setting up the bug bounty program was to further the hotel's goal of keeping its guests safe.

"As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

Depending on the severity of the vulnerabilties found, researchers can earn between US$300 for finding low-risk bugs up to US$4000 for flaws rated as critical according to the Common Vulnerability Scoring System (CVSS) security industry standard.

Some of the vulnerabilties Hyatt will reward researchers for include bypassing Web Application Firewalls (WAFs), finding hotel data on cloud storage services, cross-site request forgery (CSRF) on its sites, business logic bypasses, back-end system access via front-end systems and getting around authentication.

Hyatt's main websites and the hotel chain's Android and Apple iOS mobile apps are deemed to be in scope for vulnerability research, but not its accommodation properties or physical and network infrastructure.

Researchers wishing to take part in the bug bounty program must agree to responsible disclosure rules, and not collect personally identifiable information, authentication data or credit card details from hotel guests.

Hyatt also asks that researchers make a good faith effort to avoid privacy violations, destruction or alteration of data as well as interruption or degradation of the hotel's services.

Hotels have become targets for information stealing attacks over the last few years.

The Hyatt bug bounty follows the global hotel chain being hacked twice in recent times, with credit card data taken.

Rival hotelier Marriott this week reported that the recently-revealed hack of its Starwood reservations system exposed 5.25 million unencrypted passport numbers. 

Initially, Marriott reported that up to half a billion Starwood Hotels guests were impacted by the breach, but now believe less than 383 million are affected.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bug bounty hackerone hyatt security software starwood

Most Read Articles

Microsoft admits it couldn't afford its own cloud

Microsoft admits it couldn't afford its own cloud
CBA discloses app's open source components

CBA discloses app's open source components
Vic govt to build state's first digital twin

Vic govt to build state's first digital twin
NSW using AWS to predict public transport delays

NSW using AWS to predict public transport delays
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?
Follow these steps to prevent targeted attacks
Follow these steps to prevent targeted attacks
Your mobile devices may not be secure – learn how to fix that
Your mobile devices may not be secure – learn how to fix that
Don’t risk your business – learn how to protect your cloud assets
Don’t risk your business – learn how to protect your cloud assets

Events

Log In

Username / Email:
Password:
  |  Forgot your password?