Hotel chain Hyatt sets up bug bounty program

By on
Hotel chain Hyatt sets up bug bounty program

Critical vulnerability finds pay US$4000.

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps.

Chief information security officer Benjamin Vaughn said the aim of setting up the bug bounty program was to further the hotel's goal of keeping its guests safe.

"As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

Depending on the severity of the vulnerabilties found, researchers can earn between US$300 for finding low-risk bugs up to US$4000 for flaws rated as critical according to the Common Vulnerability Scoring System (CVSS) security industry standard.

Some of the vulnerabilties Hyatt will reward researchers for include bypassing Web Application Firewalls (WAFs), finding hotel data on cloud storage services, cross-site request forgery (CSRF) on its sites, business logic bypasses, back-end system access via front-end systems and getting around authentication.

Hyatt's main websites and the hotel chain's Android and Apple iOS mobile apps are deemed to be in scope for vulnerability research, but not its accommodation properties or physical and network infrastructure.

Researchers wishing to take part in the bug bounty program must agree to responsible disclosure rules, and not collect personally identifiable information, authentication data or credit card details from hotel guests.

Hyatt also asks that researchers make a good faith effort to avoid privacy violations, destruction or alteration of data as well as interruption or degradation of the hotel's services.

Hotels have become targets for information stealing attacks over the last few years.

The Hyatt bug bounty follows the global hotel chain being hacked twice in recent times, with credit card data taken.

Rival hotelier Marriott this week reported that the recently-revealed hack of its Starwood reservations system exposed 5.25 million unencrypted passport numbers. 

Initially, Marriott reported that up to half a billion Starwood Hotels guests were impacted by the breach, but now believe less than 383 million are affected.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bug bounty hackerone hyatt security software starwood

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it
Defence switches on initial SAP ERP system capability

Defence switches on initial SAP ERP system capability
Downer lands $330m Telstra field services contract

Downer lands $330m Telstra field services contract
Tyro halts trading following week-long outage

Tyro halts trading following week-long outage
You must be a registered member of iTnews to post a comment.
| Register

Log In

Username / Email:
Password:
  |  Forgot your password?