Hotel chain Hyatt sets up bug bounty program

By on
Hotel chain Hyatt sets up bug bounty program

Critical vulnerability finds pay US$4000.

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps.

Chief information security officer Benjamin Vaughn said the aim of setting up the bug bounty program was to further the hotel's goal of keeping its guests safe.

"As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

Depending on the severity of the vulnerabilties found, researchers can earn between US$300 for finding low-risk bugs up to US$4000 for flaws rated as critical according to the Common Vulnerability Scoring System (CVSS) security industry standard.

Some of the vulnerabilties Hyatt will reward researchers for include bypassing Web Application Firewalls (WAFs), finding hotel data on cloud storage services, cross-site request forgery (CSRF) on its sites, business logic bypasses, back-end system access via front-end systems and getting around authentication.

Hyatt's main websites and the hotel chain's Android and Apple iOS mobile apps are deemed to be in scope for vulnerability research, but not its accommodation properties or physical and network infrastructure.

Researchers wishing to take part in the bug bounty program must agree to responsible disclosure rules, and not collect personally identifiable information, authentication data or credit card details from hotel guests.

Hyatt also asks that researchers make a good faith effort to avoid privacy violations, destruction or alteration of data as well as interruption or degradation of the hotel's services.

Hotels have become targets for information stealing attacks over the last few years.

The Hyatt bug bounty follows the global hotel chain being hacked twice in recent times, with credit card data taken.

Rival hotelier Marriott this week reported that the recently-revealed hack of its Starwood reservations system exposed 5.25 million unencrypted passport numbers. 

Initially, Marriott reported that up to half a billion Starwood Hotels guests were impacted by the breach, but now believe less than 383 million are affected.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bug bounty hackerone hyatt security software starwood

Most Read Articles

AWS suffers cloud problems in Sydney region

AWS suffers cloud problems in Sydney region
Optus breaks silence on NBN Co's enterprise behaviour

Optus breaks silence on NBN Co's enterprise behaviour
The CIO moves that made headlines in 2019

The CIO moves that made headlines in 2019
Apple pushes back against EU common charger

Apple pushes back against EU common charger
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?