[{"id":3763454,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nCommunication| SLA|\n|-------------------|-----------------|\n| Initial Communication | Upon receipt of new report |\n| Triage | 2-business days from receipt of new report |\n| Bounty Payout | 5-business days from Triage |\n| Response to Researcher questions | 2-days from posted question |\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n* 3rd Party assets are not covered in our program.  Our program applies to components under our control.\n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nHigh Impact Scope Payout Range\n\nSeverity | Payout Range |\n|-------------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $1000-$5000 |\n| Low| $250 |\n\n\n\nLow Impact Scope Payout \n\nSeverity | Payout |\n|-------------------|-----------------|\n| Critical | $5000 |\n| High | $3000 |\n| Medium| $500-$1000 |\n| Low| $250 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* `*.airbnb.org`\n* `*.musta.ch`\n* `*.airbnbpayments.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `*.hoteltonight.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-22T22:06:06.882Z"},{"id":3758767,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nCommunication| SLA|\n|-------------------|-----------------|\n| Initial Communication | Upon receipt of new report |\n| Triage | 2-business days from receipt of new report |\n| Bounty Payout | 5-business days from Triage |\n| Response to Researcher questions | 2-days from posted question |\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n* 3rd Party assets are not covered in our program.  Our program applies to components under our control.\n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nHigh Impact Scope Payout Range\n\nSeverity | Payout Range |\n|-------------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $1000-$5000 |\n| Low| $250 |\n\n\n\nLow Impact Scope Payout \n\nSeverity | Payout |\n|-------------------|-----------------|\n| Critical | $5000 |\n| High | $3000 |\n| Medium| $500-$1000 |\n| Low| $250 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `*.hoteltonight.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-09T20:23:03.994Z"},{"id":3729874,"new_policy":"Effective May 9, 2024\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nCommunication| SLA|\n|-------------------|-----------------|\n| Initial Communication | Upon receipt of new report |\n| Triage | 2-business days from receipt of new report |\n| Bounty Payout | 5-business days from Triage |\n| Response to Researcher questions | 2-days from posted question |\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n* 3rd Party assets are not covered in our program.  Our program applies to components under our control.\n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nHigh Impact Scope Payout Range\n\nSeverity | Payout Range |\n|-------------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $500-2000 |\n| Low| $250 |\n\n\n\nLow Impact Scope Payout \n\nSeverity | Payout |\n|-------------------|-----------------|\n| Critical | $5000 |\n| High | $3000 |\n| Medium| $500-1000 |\n| Low| $250 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `*.hoteltonight.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-19T00:29:38.505Z"},{"id":3725291,"new_policy":"Effective May 9, 2024\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nCommunication| SLA|\n|-------------------|-----------------|\n| Initial Communication | Upon receipt of new report |\n| Triage | 2-business days from receipt of new report |\n| Bounty Payout | 5-business days from Triage |\n| Response to Researcher questions | 2-days from posted question |\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n* 3rd Party assets are not covered in our program.  Our program applies to components under our control.\n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nHigh Impact Scope Payout Range\n\nSeverity | Payout Range |\n|-------------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $500 |\n| Low| $250 |\n\n\n\nLow Impact Scope Payout \n\nSeverity | Payout |\n|-------------------|-----------------|\n| Critical | $5000 |\n| High | $3000 |\n| Medium| $500 |\n| Low| $250 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `*.hoteltonight.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-08T21:17:06.162Z"},{"id":3713508,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nCommunication| SLA|\n|-------------------|-----------------|\n| Initial Communication | Upon receipt of new report |\n| Triage | 2-business days from receipt of new report |\n| Bounty Payout | 5-business days from Triage |\n| Response to Researcher questions| 2-days from posted question |\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n* 3rd Party assets are not covered in our program.  Our program applies to components under our control.\n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nSeverity| Payout Range|\n|-------------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $2000 - $9,999 |\n| Low| $250 - $1,999 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-01T22:49:54.120Z"},{"id":3712739,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nCommunication| SLA|\n|-------------------|-----------------|\n| Initial Communication | Upon receipt of new report |\n| Triage | 2-business days from receipt of new report |\n| Bounty Payout | 5-business days from Triage |\n| Response to Researcher questions| 2-days form posted question |\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n* 3rd Party assets are not covered in our program.  Our program applies to components under our control.\n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nSeverity| Payout Range|\n|-------------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $2000 - $9,999 |\n| Low| $250 - $1,999 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-16T00:17:16.687Z"},{"id":3700166,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nThis policy is effective as of August 19, 2023  All reports submitted prior to this date will adhere to the previous policy.\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nInitial Communication: Upon receipt of new report\nInitial Triage Review: 2-business days from receipt of new report\nTier 2 Triage Review: 2-business days from Tier 1 review\nBounty Payout: 5-business days from Tier 2 Triage Review\nResponse to Researcher Questions: 2-business days from posted question\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center https://www.airbnb.com/help\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nSeverity| Payout Range|\n|-------------------|-----------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $2000 - $9,999 |\n| Low| $250 - $1,999 |\n\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-21T00:08:59.383Z"},{"id":3700147,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nThis policy is effective as of August 19, 2023  All reports submitted prior to this date will adhere to the previous policy.\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nInitial Communication: Upon receipt of new report\nInitial Triage Review: 2-business days from receipt of new report\nTier 2 Triage Review: 2-business days from Tier 1 review\nBounty Payout: 5-business days from Tier 2 Triage Review\nResponse to Researcher Questions: 2-business days from posted question\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nSeverity| Payout Range|\n|-------------------|-----------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $2000 - $9,999 |\n| Low| $250 - $1,999 |\n\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-19T18:59:04.592Z"},{"id":3700146,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nThis policy is effective as of August 19, 2023  All reports submitted prior to this date will adhere to the previous policy.\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nInitial Communication: Upon receipt of new report\nInitial Triage Review: 2-business days from receipt of new report\nTier 2 Triage Review: 2-business days from Tier 1 review\nBounty Payout: 5-business days from Tier 2 Triage Review\nResponse to Researcher Questions: 2-business days from posted question\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nSeverity| Payout Range|\n|-------------------|-----------------|-----------------|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $2000 - $9,999 |\n| Low| $250 - $1,999 |\n\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-19T18:56:48.096Z"},{"id":3700143,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nThis policy is effective as of August 19, 2023  All reports submitted prior to this date will adhere to the previous policy.\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nInitial Communication: Upon receipt of new report\nInitial Triage Review: 2-business days from receipt of new report\nTier 2 Triage Review: 2-business days from Tier 1 review\nBounty Payout: 5-business days from Tier 2 Triage Review\nResponse to Researcher Questions: 2-business days from posted question\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nCritical | $18,000 - $25,000 |\nHigh | $10,000 - $17,999 |\nMedium| $2000 - $9,999 |\nLow| $250 - $1,999 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-19T15:05:53.782Z"},{"id":3700142,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nThis policy is effective as of August 19, 2023  All reports submitted prior to this date will adhere to the previous policy.\n\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in responsibly disclosing the issue to us.\n\nPlease submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users’ privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data. Note: Abusing vulnerabilities in other websites in order to test Airbnb is prohibited. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nUpon receipt of your report, we will communicate timelines for triaging, paying out your report,  and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 2-business days from the submission of the report, we will close the report as Not Applicable.\n\nNote: Timelines as shown below are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.\n\nInitial Communication: Upon receipt of new report\nInitial Triage Review: 2-business days from receipt of new report\nTier 2 Triage Review: 2-business days from Tier 1 review\nBounty Payout: 5-business days from Tier 2 Triage Review\nResponse to Researcher Questions: 2-business days from posted question\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria]https://bughunters.google.com/about/rules/5604090422493184/google-play-security-reward-program-rules\n\n# Table of Contents\n* Program Scope\n* Program Rules\n* Rewards\n* Eligibility\n* Special Testing Requirements\n    * HotelTonight Testing Requirements\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n* Other Information\n\n# Program Scope\nIn Scope assets are listed https://hackerone.com/airbnb/policy_scopes and are reviewed on a quarterly basis to ensure the most inclusive scope possible.\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through HackerOne. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* No testing on real user data permitted for any HotelTonight assets. \n\n# Rewards\nOur maximum bounty is $25,000 USD. \nReward amounts are based on Severity and overall impact. We encourage you to use the CVSS calculator in HackerOne to calculate the severity you believe is adequate to your finding.  If we believe the Severity you calculated is different from our assessment, you will be provided with an explanation as this may impact payout. Please allow up to 5 business days from time of triage for bounty to be paid out. The following table outlines the typical bounty ranges by Severity. All bounties are up to the discretion of Airbnb.\n\nSeverity| Payout Range|\n| Critical | $18,000 - $25,000 |\n| High | $10,000 - $17,999 |\n| Medium| $2000 - $9,999 |\n| Low| $250 - $1,999 |\n\n\nVulnerability Type|Severity Range|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | Critical |\n| SQL Injection | High - Critical |\n| Improper Direct Object Reference (IDOR) | Medium - Critical |\n| Sensitive Data Exposure| Medium - Critical |\n| Server Side Request Forgery (SSRF) | Low - Critical |\n| Local file Inclusion | Medium - High |\n| Stored Cross Site Scripting | Medium - High |\n| Significant Authentication Bypass | Medium - High |\n| Authorization Flaw | Medium - High |\n| Cross-Site Request Forgery (CSRF) | Low - Medium |\n| Open Redirect on Sensitive Parameter | Low - Medium |\n| Reflected/Other Cross Site Scripting | Low - Medium |\n| Open Redirect | Low - Medium |\n| DNS Subdomain Takeover | Low - Medium |\n\n##Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward duplicate reports. \n\n# Eligibility\nAirbnb reserves the right to decide the weakness and severity of a report and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\n\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good Bug Bounty report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Step by step instructions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n*Account Configuration: User type (Guest, Host, ProHost, SuperHost)\n*Severity: Use the Hackerone calculator to calculate the severity you believe matches your report\n*Asset: Select the asset that is impacted by your finding\n*Weakness: Select the weakness associated with your report\n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* `hoteltonight-test.com`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). \n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n# HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card in our testing environment, which doesn’t send out any email notifications (activation or confirmation) to customers. \n\nHotelTonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotelTonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotelTonight Cities and Inventory\nIn our testing environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotelTonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotelTonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our testing environment.\n\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-19T14:34:11.169Z"},{"id":3678888,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.  Note:  Abusing vulnerabilities in other websites in order to test Airbnb is prohibited.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-21T19:25:31.402Z"},{"id":3678503,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles that do not provide any extra information.\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-12T20:39:08.706Z"},{"id":3669541,"new_policy":"\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-12T23:06:10.546Z"},{"id":3667797,"new_policy":"#Airbnb promotion\n\nAs part of this promotion, we will be offering:\n- ==**75% bonus bounty** in addition to the standard payouts for valid **high and critical** findings==\n-  ==**50% bonus bounty** in addition to the standard payouts for valid **medium severity** findings==\n\nPromotion timeframe:\n- Promotion start date: March 8th, 2022\n- Promotion end date: April 12th, 2022\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-09T03:08:21.145Z"},{"id":3667540,"new_policy":"\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-02T21:56:54.040Z"},{"id":3666397,"new_policy":"==**Log4Shell Promotion**==\n\nAs part of this promotion, we will be offering a *50% bonus\nbounty in addition to the standard payouts for a valid Log4j RCE **\n- Promotion Start Date: December 16th, 2021\n- Promotion End Date: March 2nd, 2022\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-02-11T20:46:26.983Z"},{"id":3663119,"new_policy":"==**Log4Shell Promotion**==\n\nAs part of this promotion, we will be offering a *50% bonus\nbounty in addition to the standard payouts for a valid Log4j RCE **\n- Promotion Start Date: December 16th, 2021\n- Promotion End Date: February 16th, 2022\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T01:28:18.956Z"},{"id":3663118,"new_policy":"==Log4Shell Promotion==\n\nAs part of this promotion, we will be offering a **50% bonus\nbounty in addition to the standard payouts for a valid Log4j RCE **\n- Promotion Start Date: December 16th, 2021\n- Promotion End Date: February 16th, 2022\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T01:25:59.690Z"},{"id":3663117,"new_policy":"==Log4Shell Promotion==\n\nAs part of this promotion, we will be offering a *50% bonus\nbounty in addition to the standard payouts for a valid Log4j RCE **\n- Promotion Start Date: December 16th, 2021\n- Promotion End Date: February 16th, 2022\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T01:24:30.643Z"},{"id":3663116,"new_policy":"==Log4j Promotion==\n\nAs part of this promotion, we will be offering a **50% bonus\nbounty in addition to the standard payouts for valid Log4j RCE findings.**\n- Promotion Start Date: December 16th, 2021\n- Promotion End Date: February 16th, 2021\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T01:20:37.210Z"},{"id":3663115,"new_policy":"== Log4j Promotion ==\n\nAs part of this promotion, we will be offering a **50% bonus\nbounty in addition to the standard payouts for valid Log4j RCE findings.**\n- Promotion Start Date: December 16th, 2021\n- Promotion End Date: February 16th, 2021\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T01:19:26.812Z"},{"id":3662292,"new_policy":"==We are running a Promotion!==\n\nAs part of this promotion, we will be offering a **25% multiplier\nbounty in addition to the standard payouts for valid IDORS.**\n- Promotion Start Date: November 29st, 2021\n- Promotion End Date: December 16th, 2021\n\nHappy hacking! Airbnb Security team\n\n-------------------------\n-------------------------\n\n-------------------------\n-------------------------\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-29T20:02:15.336Z"},{"id":3658852,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-24T19:51:37.401Z"},{"id":3649438,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n* Broken links or unclaimed social media accounts (unless chained with an impactful exploit)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-03T22:27:44.896Z"},{"id":3646570,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-08T00:17:44.499Z"},{"id":3646569,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.airbnb.org/`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-08T00:16:46.738Z"},{"id":3642601,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)` (other content redaction vulnerabilities are in scope)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-18T23:29:50.805Z"},{"id":3642600,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses where the redacted content is replaced by the string `(Hidden by Airbnb)`\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-18T23:29:02.734Z"},{"id":3636726,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `luckey.partners`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-27T17:19:15.384Z"},{"id":3635866,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nDo NOT create requests and bookings at www.urbandoor.com or other urbandoor environments. We no longer approve or provide test accounts, requests or bookings in any urbandoor environment. You may browse our demo environments for vulnerabilities, but we no longer have a test account creation workflow. \n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-05T21:52:33.480Z"},{"id":3635860,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.es`\n* `luckey.ca`\n* `luckey.app`\n* `luckey.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nHackerone testers can only browse the public login pages. We do not provide or approve Luckey Homes test accounts.\n\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.*.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nThe above steps do not result in a test account. They simply allow you to test some functionality without causing disruption to our internal business support team.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nOnly create accounts, requests and bookings in the demo environment. Do not create requests and bookings at www.urbandoor.com or other production environments. Any property listings in demo are fine to book. You can use the Stripe test cards in the demo environment: https://stripe.com/docs/testing#cards\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-05T17:07:45.305Z"},{"id":3634482,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the [Google Play Security Rewards Program’s Scope and Vulnerability Criteria](https://hackerone.com/googleplay).\n\n# Table of Contents\n* Program Scope\n    * Highest Impact Scope\n    * Lower Impact Scope\n* Special Testing Requirements\n    * Luckey Testing Requirements\n    * HotelTonight Testing Requirements\n    * Urbandoor Testing Requirements\n* Program Rules\n* Out of Scope Vulnerabilities (no reward)\n    * Applicable to HotelTonight\n    * Applicable to Luckey Homes\n* Eligibility\n* Rewards\n* Other Information\n\n# Program Scope\n## Highest Impact Scope\n* `*.airbnb.com`\n* All localized airbnb sites (e.g., `es.airbnb.com`, `it.airbnb.com`)\n* [Airbnb iOS app](https://apps.apple.com/us/app/airbnb/id401626263)\n* [Airbnb Android app](https://play.google.com/store/apps/details?id=com.airbnb.android)\n\n## Lower Impact Scope\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n* `*.atairbnb.com`\n* `*.withairbnb.com`\n* `*.airbnbcitizen.com`\n* `*.byairbnb.com`\n* `*.muscache.com`\n* `*.airbnb-aws.com`\n* `*.luxuryretreats.com`\n* `*.airbnbopen.com`\n* `demo.urbandoor.com `\n* `provider.demo.urbandoor.com`\n* `admin.demo.urbandoor.com`\n* `luckey.in`\n* `luckey.fr`\n* `luckey.app`\n* `luckeyhomes.com`\n* `hoteltonight-test.com`\n* `api.hoteltonight-test.com`\n* `places.hoteltonight-test.com`\n\n# Special Testing Instructions\n\n## Luckey Testing Requirements\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add `source=luckey_test` in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add `source=luckey_test` to your post payloads. \n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\n## HotelTonight Testing Requirements\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our mobile web app. You will not get any activation email from our staging environment.\n\n## Urbandoor Testing Requirements\nOnly create accounts, requests and bookings in the demo environment. Do not create requests and bookings at www.urbandoor.com or other production environments. Any property listings in demo are fine to book. You can use the Stripe test cards in the demo environment: https://stripe.com/docs/testing#cards\n\n# Program Rules\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n\n# Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n## Applicable to HotelTonight\n* `hoteltonight.com`\n* `hoteltonight.build`\n* Our partners site (`partners.hoteltonight.com`)\n* iOS mobile app\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\n## Applicable to Luckey Homes\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules (listed above).\n\n# Eligibility\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n* Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n# Rewards\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000 |\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n| Stored Cross Site Scripting | $3,500 | $500 |\n| Reflected/Other Cross Site Scripting | $2,500 | $500 |\n| Self Cross Site Scripting | $500 | $150|\n| Sensitive Data Exposure| $1,500 | $500 |\n| Authorization Flaw | $1,500 | $500 |\n| Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n| Open Redirect on Sensitive Parameter | $1,500 | $500 |\n| Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n| Open Redirect | $500 | $150 |\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n# Other Information\n* [Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n* [Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-01T20:53:44.031Z"},{"id":3628224,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Lower Impact#\n* *.atairbnb.com\n* *.withairbnb.com\n* *.airbnbcitizen.com\n* *.byairbnb.com\n* *.muscache.com\n* *.airbnb-aws.com\n* *.luxuryretreats.com\n* *.airbnbopen.com\n* Luxury Retreats iOS app\n* luckey.in (see testing requirement below)\n* luckey.fr (see testing requirement below)\n* luckey.app (see testing requirement below)\n* luckeyhomes.com (see testing requirement below)\n* hoteltonight-test.com\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n* demo.urbandoor.com \n* provider.demo.urbandoor.com\n* admin.demo.urbandoor.com\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n# LUCKEY HOMES TESTING REQUIREMENT:\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add source=luckey_test in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads. \n\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward. \n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\n# HOTEL TONIGHT Scope:\n* hoteltonight-test.com\n\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Android Native App\nHere is a link to most recent Android APK (points to our test environment):\nhttps://hoteltonight.egnyte.com/dl/h8A56C0pQu/hotel-tonight-standard-debug.apk_\n\nOur Android app is full-featured compared to our Mobile Web App. \n*It is highly recommended that you use Android App to test multiple endpoints and features for any security vulnerabilities.*\n\nSome features that are not part of Mobile Web, but are available in Android app are:\n* Using coupons and promotion codes\n* Favorite a hotel and look at your favorites\n* Escape feature\n* Leave review for a hotel after booking\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou will have access to our Android staging build. You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nWe will be running this program on our staging environment - you are allowed to scan the environment and create multiple customer accounts for testing purposes.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our Android app or mobile web app. You will not get any activation email from our staging environment.\n \n# Hotel Tonight Out of Scope\nIn addition to Airbnb’s Out of Scope, we have some properties that out of scope as well:\n* hoteltonight.com\n* hoteltonight.build\n* Our partners site (partners.hoteltonight.com)\n* iOS mobile app.\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment.\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\nFor the Android App, the following is out of scope as the features do not work on Android test build:\n* FB/Google Login\n* AndroidPay\n* PayPal probably\n* This build won't receive proper push notifications\n\n# URBANDOOR Scope: \n* demo.urbandoor.com \n* provider.demo.urbandoor.com\n* admin.demo.urbandoor.com\n\n# IMPORTANT RULE REMINDERS: \n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n* No exceptions. Do not contact real hosts, guests, users.\n* Create your own test user accounts and test with your own data only.\n\nOnly create accounts, requests and bookings in the demo environment. Do not create requests and bookings at www.urbandoor.com or other production environments. Any property listings in demo are fine to book. You can use the Stripe test cards in the demo environment: https://stripe.com/docs/testing#cards\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-13T22:39:24.937Z"},{"id":3628222,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Lower Impact#\n* *.atairbnb.com\n* *.withairbnb.com\n* *.airbnbcitizen.com\n* *.byairbnb.com\n* *.muscache.com\n* *.airbnb-aws.com\n* *.luxuryretreats.com\n* *.airbnbopen.com\n* Luxury Retreats iOS app\n* luckey.in (see testing requirement below)\n* luckey.fr (see testing requirement below)\n* luckey.app (see testing requirement below)\n* luckeyhomes.com (see testing requirement below)\n* hoteltonight-test.com\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n# LUCKEY HOMES TESTING REQUIREMENT:\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add source=luckey_test in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads. \n\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward. \n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\n# HOTEL TONIGHT Scope:\n* hoteltonight-test.com\n\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Android Native App\nHere is a link to most recent Android APK (points to our test environment):\nhttps://hoteltonight.egnyte.com/dl/h8A56C0pQu/hotel-tonight-standard-debug.apk_\n\nOur Android app is full-featured compared to our Mobile Web App. \n*It is highly recommended that you use Android App to test multiple endpoints and features for any security vulnerabilities.*\n\nSome features that are not part of Mobile Web, but are available in Android app are:\n* Using coupons and promotion codes\n* Favorite a hotel and look at your favorites\n* Escape feature\n* Leave review for a hotel after booking\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou will have access to our Android staging build. You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nWe will be running this program on our staging environment - you are allowed to scan the environment and create multiple customer accounts for testing purposes.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our Android app or mobile web app. You will not get any activation email from our staging environment.\n \n# Hotel Tonight Out of Scope\nIn addition to Airbnb’s Out of Scope, we have some properties that out of scope as well:\n* hoteltonight.com\n* hoteltonight.build\n* Our partners site (partners.hoteltonight.com)\n* iOS mobile app.\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment.\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\nFor the Android App, the following is out of scope as the features do not work on Android test build:\n* FB/Google Login\n* AndroidPay\n* PayPal probably\n* This build won't receive proper push notifications\n\n# URBANDOOR Scope: \n* demo.urbandoor.com \n* provider.demo.urbandoor.com\n* admin.demo.urbandoor.com\n\n# IMPORTANT RULE REMINDERS: \n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n* No exceptions. Do not contact real hosts, guests, users.\n* Create your own test user accounts and test with your own data only.\n\nOnly create accounts, requests and bookings in the demo environment. Do not create requests and bookings at www.urbandoor.com or other production environments. Any property listings in demo are fine to book. You can use the Stripe test cards in the demo environment: https://stripe.com/docs/testing#cards\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for lower-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-13T22:33:02.935Z"},{"id":3623925,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n* *.atairbnb.com\n* *.withairbnb.com\n* *.airbnbcitizen.com\n* *.byairbnb.com\n* *.muscache.com\n* *.airbnb-aws.com\n* *.luxuryretreats.com\n* *.airbnbopen.com\n* Luxury Retreats iOS app\n* luckey.in (see testing requirement below)\n* luckey.fr (see testing requirement below)\n* luckey.app (see testing requirement below)\n* luckeyhomes.com (see testing requirement below)\n* hoteltonight-test.com\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n# LUCKEY HOMES TESTING REQUIREMENT:\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add source=luckey_test in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads. \n\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward. \n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\n# HOTEL TONIGHT Scope:\n* hoteltonight-test.com\n\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Android Native App\nHere is a link to most recent Android APK (points to our test environment):\nhttps://hoteltonight.egnyte.com/dl/h8A56C0pQu/hotel-tonight-standard-debug.apk_\n\nOur Android app is full-featured compared to our Mobile Web App. \n*It is highly recommended that you use Android App to test multiple endpoints and features for any security vulnerabilities.*\n\nSome features that are not part of Mobile Web, but are available in Android app are:\n* Using coupons and promotion codes\n* Favorite a hotel and look at your favorites\n* Escape feature\n* Leave review for a hotel after booking\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou will have access to our Android staging build. You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nWe will be running this program on our staging environment - you are allowed to scan the environment and create multiple customer accounts for testing purposes.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our Android app or mobile web app. You will not get any activation email from our staging environment.\n \n# Hotel Tonight Out of Scope\nIn addition to Airbnb’s Out of Scope, we have some properties that out of scope as well:\n* hoteltonight.com\n* hoteltonight.build\n* Our partners site (partners.hoteltonight.com)\n* iOS mobile app.\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment.\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\nFor the Android App, the following is out of scope as the features do not work on Android test build:\n* FB/Google Login\n* AndroidPay\n* PayPal probably\n* This build won't receive proper push notifications\n\n# URBANDOOR Scope: \n* demo.urbandoor.com \n* provider.demo.urbandoor.com\n* admin.demo.urbandoor.com\n\n# IMPORTANT RULE REMINDERS: \n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n* No exceptions. Do not contact real hosts, guests, users.\n* Create your own test user accounts and test with your own data only.\n\nOnly create accounts, requests and bookings in the demo environment. Do not create requests and bookings at www.urbandoor.com or other production environments. Any property listings in demo are fine to book. You can use the Stripe test cards in the demo environment: https://stripe.com/docs/testing#cards\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-18T18:21:05.983Z"},{"id":3623922,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\n*Luxury Retreats iOS app\n*luckey.in (see testing requirement below)\n*luckey.fr (see testing requirement below)\n*luckey.app (see testing requirement below)\n*luckeyhomes.com (see testing requirement below)\n*hoteltonight-test.com\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n# LUCKEY HOMES TESTING REQUIREMENT:\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add source=luckey_test in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads. \n\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward. \n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\n# HOTEL TONIGHT Scope:\n*hoteltonight-test.com\n\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Android Native App\nHere is a link to most recent Android APK (points to our test environment):\nhttps://hoteltonight.egnyte.com/dl/h8A56C0pQu/hotel-tonight-standard-debug.apk_\n\nOur Android app is full-featured compared to our Mobile Web App. \n*It is highly recommended that you use Android App to test multiple endpoints and features for any security vulnerabilities.*\n\nSome features that are not part of Mobile Web, but are available in Android app are:\n* Using coupons and promotion codes\n* Favorite a hotel and look at your favorites\n* Escape feature\n* Leave review for a hotel after booking\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou will have access to our Android staging build. You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nWe will be running this program on our staging environment - you are allowed to scan the environment and create multiple customer accounts for testing purposes.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our Android app or mobile web app. You will not get any activation email from our staging environment.\n \n# Hotel Tonight Out of Scope\nIn addition to Airbnb’s Out of Scope, we have some properties that out of scope as well:\n* *hoteltonight.com\n* *hoteltonight.build\n* Our partners site (partners.hoteltonight.com)\n* iOS mobile app.\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment.\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\nFor the Android App, the following is out of scope as the features do not work on Android test build:\n* FB/Google Login\n* AndroidPay\n* PayPal probably\n* This build won't receive proper push notifications\n\n# URBANDOOR Scope: \n* demo.urbandoor.com \n* provider.demo.urbandoor.com\n* admin.demo.urbandoor.com\n\n# IMPORTANT RULE REMINDERS: \n* No testing on real user data permitted for any Urbandoor, Hotel Tonight, or Gaest assets. \n* No exceptions. Do not contact real hosts, guests, users.\n* Create your own test user accounts and test with your own data only.\n\nOnly create accounts, requests and bookings in the demo environment. Do not create requests and bookings at www.urbandoor.com or other production environments. Any property listings in demo are fine to book. You can use the Stripe test cards in the demo environment: https://stripe.com/docs/testing#cards\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-18T18:16:22.084Z"},{"id":3619302,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\n*Luxury Retreats iOS app\n*luckey.in (see testing requirement below)\n*luckey.fr (see testing requirement below)\n*luckey.app (see testing requirement below)\n*luckeyhomes.com (see testing requirement below)\n*hoteltonight-test.com\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\nLUCKEY HOMES TESTING REQUIREMENT:\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add source=luckey_test in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads. \n\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward. \n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\nHOTEL TONIGHT Scope:\n*hoteltonight-test.com\n\nResearchers can create customer accounts and book hotel rooms (test bookings) using a fake credit card on our staging environment, which doesn’t send out any emails notifications (activation or confirmation) to customers. \n\nHotel Tonight Mobile Web App\n* Accessible from https://www.hoteltonight-test.com (if using a desktop browser, note that you will need to use a mobile user-agent or Chrome developer tools to view the mobile site)\n\nHotel Tonight Mobile APIs\nMobile APIs that power our mobile apps are located at:\n* api.hoteltonight-test.com\n* places.hoteltonight-test.com\n\nHotel Tonight Android Native App\nHere is a link to most recent Android APK (points to our test environment):\nhttps://hoteltonight.egnyte.com/dl/h8A56C0pQu/hotel-tonight-standard-debug.apk_\n\nOur Android app is full-featured compared to our Mobile Web App. \n*It is highly recommended that you use Android App to test multiple endpoints and features for any security vulnerabilities.*\n\nSome features that are not part of Mobile Web, but are available in Android app are:\n* Using coupons and promotion codes\n* Favorite a hotel and look at your favorites\n* Escape feature\n* Leave review for a hotel after booking\n\nHotel Tonight Cities and Inventory\nOn our staging environment, you should search for following cities to look for hotels:\n* San Francisco\n* Las Vegas\n* New York City\n\nHotel Tonight Access\nYou will have access to our Android staging build. You can create customer accounts using your emails (no activation emails will be sent), and use the following credit card for test booking a hotel room: - 4111111111111111 (Visa) with any expiration date in the future. Additional test payment methods available at https://developers.braintreepayments.com/reference/general/testing/ruby#credit-card-numbers (use only American Express, Discover, JCB, Mastercard, or Visa). All test bookings are not real bookings. We also suppress all emails for test bookings, so no email receipts will be sent to whatever email address is entered.\n\nWe will be running this program on our staging environment - you are allowed to scan the environment and create multiple customer accounts for testing purposes.\n\nHotel Tonight Credentials\nResearchers will need to self-provision the customer accounts by signing up using their email on our Android app or mobile web app. You will not get any activation email from our staging environment.\n \n\nHotel Tonight Out of Scope\nIn addition to Airbnb’s Out of Scope, we have some properties that out of scope as well:\n* *hoteltonight.com\n* *hoteltonight.build\n* Our partners site (partners.hoteltonight.com)\n* iOS mobile app.\n* Single Sign On (Google or Facebook). This doesn’t work reliably on our staging environment.\n* Do not send questions/requests to their customer support team for help with your testing. This is considered an interruption to the business. \n\nFor the Android App, the following is out of scope as the features do not work on Android test build:\n* FB/Google Login\n* AndroidPay\n* PayPal probably\n* This build won't receive proper push notifications\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-16T17:42:09.815Z"},{"id":3616936,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\n*Luxury Retreats iOS app\n*luckey.in (see testing requirement below)\n*luckey.fr (see testing requirement below)\n*luckey.app (see testing requirement below)\n*luckeyhomes.com (see testing requirement below)\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\nLUCKEY HOMES TESTING REQUIREMENT:\nIf you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), please pass an additional parameter source with value luckey_test” This is executed at the end of the lead creation form on luckey.fr/luckey.com.\n* If you post directly on the API endpoints, then add source=luckey_test in your POST payload\n* Or browse to https://luckey.fr/?utm_source=luckey_test to automatically add source=luckey_test to your post payloads. \n\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward. \n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-21T23:37:12.083Z"},{"id":3616805,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n*luckey.in\n*luckey.fr\n*luckey.app\n*luckeyhomes.com\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\nLUCKEY HOMES TESTING REQUIREMENT:\n* If you create a lead (contact form, signup, “estimate income modal = POST on /new_lead), pass an additional parameter source with value luckey_test” (this is executed at the end of the lead creation form on luckey.fr/luckey.com)\n* If you skip this Testing Requirement, then you will be in violation of our program rules, and not eligible for bounty reward.\n\nLuckey Homes Out of Scope:\n* Do not send questions/requests to their customer support team. This is considered an interruption to the business. You must also follow Airbnb's General Program Rules. See below for more info.\n\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#General Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-20T21:25:33.496Z"},{"id":3615949,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n* Techniques allowing you to view user profile photos (these are considered public)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-09T16:29:28.948Z"},{"id":3603652,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-25T19:49:15.364Z"},{"id":3601419,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | $500 |\n|Improper Direct Object Reference (IDOR) | $1,500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-28T17:58:46.791Z"},{"id":3601414,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $$500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | 500 |\n|Improper Direct Object Reference (IDOR) | $1500 | $300 |\n|Open Redirect | $500 | $150 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-28T17:27:34.829Z"},{"id":3601411,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150 |\n|Sensitive Data Exposure| $1,500 | $500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect | $500 | $100 |\n|Improper Direct Object Reference (IDOR) | $1500 | $300 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-28T17:19:19.655Z"},{"id":3601410,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,000 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $500 |\n|Reflected/Other Cross Site Scripting | $2,500 | $500 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $$500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | 500 |\n|Open Redirect | $500 | $150 |\n|Improper Direct Object Reference (IDOR) | $1500 | $300 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-28T17:15:51.501Z"},{"id":3601409,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,500 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $1,000 |\n|Reflected/Other Cross Site Scripting | $2,500 | $750 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $$500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | 500 |\n|Open Redirect | $500 | $150 |\n|Improper Direct Object Reference (IDOR) | $1500 | $300 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-28T17:12:53.414Z"},{"id":3601408,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|Average Bounty for low-priority asset|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000 | $5,000 |\n| SQL Injection | $10,000 | $3,000|\n| Significant Authentication Bypass | $5,000 | $1,500 |\n| Server Side Request Forgery (SSRF) | $3,500 | $1,500 |\n| Local file Inclusion | $2,500 | $750 |\n|Stored Cross Site Scripting | $3,500 | $1,000 |\n|Reflected/Other Cross Site Scripting | $2,500 | $750 |\n|Self Cross Site Scripting | $500 | $150|\n|Sensitive Data Exposure| $1,500 | $$500 |\n|Authorization Flaw | $1,500 | $500 |\n|Cross-Site Request Forgery (CSRF) | $1,500| $500 |\n|Open Redirect on Sensitive Parameter | $1,500 | 500 |\n|Open Redirect | $500 | $150 |\n|Improper Direct Object Reference (IDOR) | $1500 | $300 |\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-28T17:12:20.136Z"},{"id":3598664,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Weaknesses\n* Email Spoofing\n* Content redaction bypasses (evading the `(Hidden by Airbnb)` filter)\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-19T19:12:14.851Z"},{"id":3598599,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Policy Weaknesses\n* Email Spoofing\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty for high-priority asset|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data. Assets listed as \"low-priority\" in the program scope will generally receive a significantly lower bounty compared to the values on the table above.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-18T21:16:14.234Z"},{"id":3584248,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Policy Weaknesses\n* Email Spoofing\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-31T18:04:32.454Z"},{"id":3581671,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\n*.airbnbopen.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Policy Weaknesses\n* Email Spoofing\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-06T00:31:53.574Z"},{"id":3580410,"new_policy":"Welcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\n#Table of Contents#\n* In Scope Properties\n* Properties With Less Impact\n* Out of Scope Vulnerabilities (no reward)\n* Eligibility\n* Program Rules\n* Rewards\n\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\nopen.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Policy Weaknesses\n* Email Spoofing\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-20T14:06:46.772Z"},{"id":3575229,"new_policy":"#Policy#\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\nopen.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Properties With Less Impact#\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\nLuxury Retreats iOS app\n\nThese properties are considered to have lower security impact on our users since they should not have access to Airbnb user sessions and generally cannot access user data. The bounties given for reports on these properties will therefore be significantly lower.\n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Policy Weaknesses\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-30T19:31:53.829Z"},{"id":3570202,"new_policy":"#Policy#\nWelcome! Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our Help Center.\n\n#In Scope Properties#\nwww.airbnb.com\nnext.airbnb.com\napi.airbnb.com\nsupport-api.airbnb.com\nassets.airbnb.com\nm.airbnb.com\nomgpro.airbnb.com\none.airbnb.com\nopen.airbnb.com\ncallbacks.airbnb.com\n*.airbnb.com\nAll localized airbnb sites\nAirbnb iOS app\nAirbnb Android app\n\n#Out of Scope Properties:#\nAirbnb recently switched to a single, public, paid bounty program. As such, we have decided to temporarily remove non-high priority assets from our scope to help throttle incoming reports during this transition period. We appreciate your understanding during this time.\n\n###Any vulnerabilities reported for properties not explicitly listed as In Scope, will not receive a payout/bounty. The below properties have been temporarily removed from the scope of our bounty program:###\n*.atairbnb.com\n*.withairbnb.com\n*.airbnbcitizen.com\n*.byairbnb.com\n*.muscache.com\n*.airbnb-aws.com\n*.luxuryretreats.com\nLuxury Retreats iOS app\nWe will revisit adding these properties to scope at a future date.  \n\n#Out of Scope Vulnerabilities:#\nWhen reporting vulnerabilities, please consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:\n* Denial of service attacks\n* Phishing attacks\n* Social engineering attacks\n* Reflected file download\n* Software version disclosure\n* Issues requiring direct physical access\n* Issues requiring exceedingly unlikely user interaction\n* Flaws affecting out-of-date browsers and plugins\n* Publicly accessible login panels\n* CSV injection\n* Email enumeration / account oracles\n* CSP Policy Weaknesses\n\n#Eligibility#\nAirbnb reserves the right to decide if the minimum severity threshold is met, and whether the vulnerability was previously reported. Rewards are granted entirely at the discretion of Airbnb.\nTo qualify for a reward under this program, you should:\n* Be the first to report a vulnerability.\n*Send a clear textual description of the report along with steps to reproduce the vulnerability.\n* Include attachments such as screenshots or proof of concept code as necessary.\n* Disclose the vulnerability report directly and exclusively to us.\n\nA good bug report should include the following information at a minimum:\n* List the affected endpoints, URL(s), and any additional parameters\n* Directions so we can reproduce the finding to verify the vulnerability\n* Full written details of the finding\n\n#Program Rules:#\n* Do not mass create accounts to perform testing against Airbnb applications and services.\n* Do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Only interact with accounts you own or with explicit permission of the account holder.\n* Blocked Accounts: There are no guarantees we will be able to unblock any restricted account activity. You may submit a request for us to investigate and unblock your account through Hackerone. The Airbnb InfoSec team will review your request and notify you if any further action is taken.\n* Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.\n\n#Rewards#\nOur maximum bounty is $15,000 USD. \nReward amounts may vary depending upon the severity, difficulty to exploit, and impact of the vulnerability reported. Please allow up to 2 weeks from time of triage to receive your bounty. The following table outlines the average rewards for specific classes of vulnerabilities:\n\n|Vulnerability Type|Average Bounty|\n|-------------------|-----------------|\n| Remote Code Execution (RCE) | $15,000|\n| SQL Injection | $10,000 |\n| Significant Authentication Bypass | $5,000 |\n| Server Side Request Forgery (SSRF) | $3,500 |\n| Local file Inclusion | $2,500 |\n|Stored Cross Site Scripting| $3,500|\n|Other Cross Site Scripting | $2,500|\n|Sensitive Data Exposure| $1,500|\n|Authorization Flaw | $1,500|\n|Cross-Site Request Forgery (CSRF) | $1,500| \n|Open Redirect | $500|\n\n\n\n\nPlease remember that reward decisions are up to the discretion of Airbnb. We do not reward for duplicate reports. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information); self-XSS; or an RCE on an asset that doesn’t house production data.\n\n#Misc#\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n[View changes](https://hackerone.com/airbnb-vip/policy_versions)\n[Notify me of changes](https://hackerone.com/airbnb-vip)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-05T19:04:00.633Z"},{"id":3563910,"new_policy":"**Welcome!** Airbnb is committed to building and protecting the world's most trusted community. If you believe you have discovered a potential security vulnerability with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly. \n\nWe ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. In doing so, please take the utmost care to protect our users' privacy, data confidentiality, and integrity. The privacy of our community is crucial, and we very much value your assistance in preserving it.  Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue, or access other user’s data.\n\nUpon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution. Provided that you’ve made a good faith effort to abide by this policy, we will not take legal action against you or ask law enforcement to investigate you.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual Airbnb account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n## In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to be triaged\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-22T18:01:44.823Z"},{"id":3563796,"new_policy":"**Welcome!** Airbnb is committed to building and protecting the world's most trusted community. If you believe you've discovered a security-related issue with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We promise to address security issues responsibly and in a timely manner.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual Airbnb account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n\n## In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to be triaged\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-21T22:52:42.315Z"},{"id":3562304,"new_policy":"**Welcome!** Airbnb is committed to building and protecting the world's most trusted community. If you believe you've discovered a security-related issue with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We promise to address security issues responsibly and in a timely manner.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual Airbnb account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n\n## In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to be triaged\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Logout CSRF\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-25T21:00:22.039Z"},{"id":3558004,"new_policy":"##  In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to be triaged\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Logout CSRF\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-20T17:04:38.622Z"},{"id":3557037,"new_policy":"##  In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to receive a payout\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Logout CSRF\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-06T19:18:35.730Z"},{"id":3555420,"new_policy":"##  In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact / payout:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to receive a payout\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Logout CSRF\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-09T20:24:04.937Z"},{"id":3555417,"new_policy":"# Policy\n\n##  In Scope Properties:\n- www.airbnb.com\n- next.airbnb.com\n- api.airbnb.com\n- support-api.airbnb.com\n- assets.airbnb.com\n- m.airbnb.com\n- omgpro.airbnb.com\n- one.airbnb.com\n- open.airbnb.com\n- callbacks.airbnb.com\n- *.airbnb.com\n- [All localized airbnb sites](https://www.airbnb.com/sitemaps/localized)\n- *.airbnbcitizen.com\n- Airbnb iOS app\n- Airbnb Android app\n\n## Less impact / payout:\n- *.atairbnb.com\n- *.withairbnb.com\n- *.byairbnb.com\n- *.muscache.com\n- *.airbnb-aws.com\n- *.luxuryretreats.com\n- Luxury Retreats iOS app\n\n## Out of Scope Properties:\n- Properties not explicitly listed above are unlikely to receive a payout\n\n## Out of Scope Vulnerabilities:\n- Denial of service attacks\n- Phishing attacks\n- Social engineering attacks\n- Reflected file download\n- Software version disclosure\n- Issues requiring direct physical access\n- Issues requiring exceedingly unlikely user interaction\n- Flaws affecting out-of-date browsers and plugins\n- Logout CSRF\n- Publicly accessible login panels\n- CSV injection\n- Email enumeration / account oracles\n- CSP Policy Weaknesses\n\n## Misc\n\n[Researchers who have our thanks](https://hackerone.com/airbnb/thanks)\n\n[Past versions of this policy](https://hackerone.com/airbnb/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-09T20:23:31.253Z"},{"id":1630871,"new_policy":"We're committed to protecting our community.  If you're a security expert or researcher and you believe you've discovered a security-related issue with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n### Scope\nOur program is limited to technical vulnerabilities in Airbnb mobile and web applications; please do not attempt phishing attacks against our users.  Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.\nWe welcome you to report problems under www.airbnb.com, and any of the localized versions of our website, but there are some exceptions to the disclosure program, including \n* blog.airbnb.com\n* nerds.airbnb.com\n* publicpolicy.airbnb.com\n* replay.vidyo.airbnb.com\n\n### Non-qualifying vulnerabilities\nDepending on their impact, some reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not qualify\n* Software version disclosure\n* Issues requiring direct physical access to mobile device\n* Bugs requiring exceedingly unlikely user interaction.\n* Flaws affecting the users of out-of-date browsers and plugins. \n* Logout CSRF\n* Abuse scenarios against our infrastructure \n* Email enumeration \n\n[View past researchers](https://hackerone.com/airbnb/thanks) who have made responsible disclosures to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-26T18:38:51.067Z"},{"id":1630848,"new_policy":"We're committed to protecting our community.  If you're a security expert or researcher and you believe you've discovered a security-related issue with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n### Scope\nOur program is limited to technical vulnerabilities in Airbnb mobile and web applications; please do not attempt phishing attacks against our employees.  Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.\nWe welcome you to report problems under www.airbnb.com, and any of the localized versions of our website, but there are some exceptions to the disclosure program, including \n* blog.airbnb.com\n* nerds.airbnb.com\n* publicpolicy.airbnb.com\n* replay.vidyo.airbnb.com\n\n### Non-qualifying vulnerabilities\nDepending on their impact, some reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not qualify\n* Software version disclosure\n* Issues requiring direct physical access to mobile device\n* Bugs requiring exceedingly unlikely user interaction.\n* Flaws affecting the users of out-of-date browsers and plugins. \n* Logout CSRF\n* Abuse scenarios against our infrastructure \n* Email enumeration \n\n[View past researchers](https://hackerone.com/airbnb/thanks) who have made responsible disclosures to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-26T18:36:41.213Z"},{"id":1630847,"new_policy":"We're committed to protecting our community.  If you're a security expert or researcher and you believe you've discovered a security-related issue with Airbnb's online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n### Scope\nOur program is limited to technical vulnerabilities in Airbnb mobile and web applications; please do not attempt phishing attacks against our employees.  Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.\nWe welcome you to report problems under www.airbnb.com, and any of the localized versions of our website, but there are some exceptions to the disclosure program, including \n* blog.airbnb.com\n* nerds.airbnb.com\n* publicpolicy.airbnb.com\n* replay.vidyo.airbnb.com\n\n### Non-qualifying vulnerabilities\nDepending on their impact, some reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not qualify\n* Software version disclosure\n* Issues requiring direct physical access to mobile device\n* Bugs requiring exceedingly unlikely user interaction.\n* Flaws affecting the users of out-of-date browsers and plugins. \n* Logout CSRF\n* Abuse scenarios against our infrastructure \n* Email enumeration \n\n\n[View past researchers](https://hackerone.com/airbnb/thanks) who have made responsible disclosures to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-26T18:36:09.955Z"},{"id":1378785,"new_policy":"We're committed to protecting our community.\n\nIf you're a security expert or researcher and you believe you've discovered a security-related issue with Airbnb's online systems -- except blog.airbnb.com, nerds.airbnb.com and publicpolicy.airbnb.com  -- we appreciate your help in disclosing the issue to us responsibly.\n\nWe ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and in a timely manner.\n\nThis program is dedicated to perceived online security issues that may affect many people on Airbnb. If you're having issues related to your individual account, then please visit our [Help Center](https://www.airbnb.com/help).\n\n[View past researchers](https://hackerone.com/airbnb/thanks) who have made responsible disclosures to us.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-04-13T19:57:12.216Z"},{"id":1378771,"new_policy":"\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-04-13T19:52:49.223Z"}]