[{"id":3772705,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n* Researchers are prohibited from using, completing, or staying on any booking obtained through an exploit, including bookings that result in free, discounted, or otherwise unauthorized stays.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-16T13:54:54.254Z"},{"id":3769269,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n* Researchers are prohibited from using, completing, or staying on any booking obtained through an exploit, including bookings that result in free, discounted, or otherwise unauthorized stays.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-04T20:57:32.692Z"},{"id":3768895,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n* Researchers are prohibited from using, completing, or staying on any booking obtained through an exploit, including bookings that result in free, discounted, or otherwise unauthorized stays.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-28T15:55:00.051Z"},{"id":3765474,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-03T20:09:43.677Z"},{"id":3762851,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-16T18:26:53.111Z"},{"id":3760872,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Bounty payouts will be issued upon confirmation that the vulnerability is slated for remediation\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* holidays-nz.fijiairways.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-08T19:18:55.958Z"},{"id":3754760,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* holidays-nz.fijiairways.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-02T20:13:00.802Z"},{"id":3750151,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* holidays-nz.fijiairways.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-13T15:12:07.296Z"},{"id":3748233,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-16T17:07:47.143Z"},{"id":3724852,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.travelimpressions.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T14:18:48.589Z"},{"id":3724772,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-02T19:42:20.739Z"},{"id":3722458,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you elevate their tier status? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-03T16:13:16.478Z"},{"id":3722098,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-29T19:00:05.364Z"},{"id":3710542,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n* www.hyattinclusivecollection.com\n* booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-10T15:58:11.263Z"},{"id":3710528,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n* res.hyattinclusivecollection.com\n*www.hyattinclusivecollection.com\n*booking.applevacations.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-10T14:49:03.172Z"},{"id":3709331,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-15T14:52:00.306Z"},{"id":3685541,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* media.triseptsolutions.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* res.zoetryresorts.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.outrigger.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-29T19:59:02.176Z"},{"id":3685078,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* media.triseptsolutions.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* res.zoetryresorts.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.outrigger.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-20T16:16:35.291Z"},{"id":3684783,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n**No additional subdomains unless explicitly mentioned.**\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* media.triseptsolutions.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* res.zoetryresorts.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.outrigger.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-14T18:45:12.944Z"},{"id":3684472,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* media.triseptsolutions.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* res.zoetryresorts.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.outrigger.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-08T23:10:58.914Z"},{"id":3684469,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the F2216536\n•\tTest reservations here: booking.amrcollection.com/premium/group_index.html?id_gruppo=9437\u0026dc_gruppo=1151\u0026lingua_int=eng\u0026id_stile=18303\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* booking.amrcollection.com/premium/groupindex.html?idgruppo=9437\u0026dcgruppo=1151\u0026linguaint=eng\u0026id_stile=18303\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* media.triseptsolutions.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* res.zoetryresorts.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.outrigger.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-08T22:10:33.586Z"},{"id":3684185,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the Test_Booking_Rules_HackerOne.pdf (F1871199)\n•\tTest reservations here: bookings.amrcollection.com\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* booking.amrcollection.com/premium/groupindex.html?idgruppo=9437\u0026dcgruppo=1151\u0026linguaint=eng\u0026id_stile=18303\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n* booking.beachbound.com\n* book.applevacations.com\n* book.booktandl.com\n* login.en.travelbrandsagent.com\n* login.fr.travelbrandsagent.com\n* login.www.vaxvacationaccess.com\n* media.triseptsolutions.com\n* new.www.vaxvacationaccess.com\n* res.blueskytours.globalbookingsolutions.com\n* res.fr.travelbrandsagent.com\n* res.southwestvacations.com\n* res.universalorlandovacations.com\n* res.vacations.united.com\n* res.vacations.universalstudioshollywood.com\n* res.zoetryresorts.com\n* reservations.wynnvacations.com\n* rezagent.triseptsolutions.com\n* shop.wyndhamvacationownership.trisept.travel\n* vacations.grandclass.grandvelas.com\n* vacations.outrigger.com\n* vacations.rivieramaya.grandvelas.com\n* www.triseptapi.com\n* www.triseptdemo.com\n* vacations.united.com\n* www.applevacations.com\n* 199.66.248.0/22\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-01T20:29:00.256Z"},{"id":3683724,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the Test_Booking_Rules_HackerOne.pdf (F1871199)\n•\tTest reservations here: bookings.amrcollection.com\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n* book.beachbound.com\n* book.extraholidaysvacations.com\n* booking.amrcollection.com/premium/groupindex.html?idgruppo=9437\u0026dcgruppo=1151\u0026linguaint=eng\u0026id_stile=18303\n* holidays-nz.fijiairways.com\n* res.breathlessresorts.com\n* res.dreamsresorts.com\n* res.en.travelbrandsagent.com\n* res.funjet.com\n* res.marival.globalbookingsolutions.com\n* res.secretsresorts.com\n* res.skyteam.com\n* res.vacations.discoverycove.com\n* res.vacations.seaworld.com\n* vacations.universalstudioshollywood.com\n* vacations.us.palladiumhotelgroup.com\n* vacations.vallarta.grandvelas.com\n* www.funjet.com\n* www.universalorlandovacations.com\n* www.wynnvacations.com\n* www.amrcollection.com\n* www.beachbound.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-15T22:37:15.974Z"},{"id":3683001,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the Test_Booking_Rules_HackerOne.pdf (F1871199)\n•\tTest reservations here: bookings.amrcollection.com\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n* booking.cheapcaribbean.com\n* book.cheapcaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-03T20:19:34.396Z"},{"id":3682999,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements - Hyatt Hotels\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made a minimum of four months into the future.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments section in bookings.\n\n## Testing Requirements – ALG Properties \nReview this document for all testing requirements: \n•\tPlease review the Test_Booking_Rules_HackerOne.pdf (F1871199)\n•\tTest reservations here: bookings.amrcollection.com\n\n## Fraud and Privacy Testing - Hyatt Assets Only\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n\n### Target these World of Hyatt accounts for fraud and privacy-related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Hyatt.\n\n## Hyatt Hotels In Scope Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n##ALG In Scope Assets\n* booking.cheapcaribbean.com\n* book.cheacaribbean.com\n* holidays-au.fijiairways.com\n* holidays-fj.fijiairways.com\n* holidays-hk.fijiairways.com\n* holidays-sg.fijiairways.com\n* holidays-us.fijiairways.com\n* images.triseptsolutions.com\n* images2.triseptsolutions.com\n* res.marivalresidences.globalbookingsolutions.com\n* res.nowresorts.com\n* res.sunscaperesorts.com\n* res.treasureisland.globalbookingsolutions.com\n* res.vacations.buschgardens.com\n* res.vacations.sesameplace.com\n* vacations.hotelcasavelas.com\n* vacations.loscabos.grandvelas.com\n* vacations.travelimpressions.com\n* vacations.velasvallarta.com\n* www.blueskytours.com\n* www.cheapcaribbean.com\n* www.globalhotelchoices.com\n* www.marktravel.com\n* www.triseptsolutions.com\n* blueskytours.globalbookingsolutions.com\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt/ALG assets not specifically listed as in-scope.\n* Any communication with Hyatt or ALG colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-03T19:47:39.260Z"},{"id":3682359,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on Hyatt-managed public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-23T14:44:50.075Z"},{"id":3668437,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Data breaches or credential dumps.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-24T17:51:05.760Z"},{"id":3663391,"new_policy":"## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-23T23:06:09.409Z"},{"id":3662950,"new_policy":"## Super-Critical Payments for Log4j\n\nWe believe we have taken adequate steps to protect our external-facing environment -- code assurance, detective controls, and protective controls -- from the recently-discovered vulnerability in the log4j library. We want to ensure we take all precautions to protect our guests and colleagues, however, throughout this week -- ending Sunday, December 20, we are creating a super-critical category for successful remote code execution of CVE-2021-44228 on any in-scope assets. The payout for this category will be **US$25,000**. As always, thank you for your important contributions to the safety of our guests and colleagues. Happy hunting!\n\nAt Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-13T18:03:10.919Z"},{"id":3658120,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-09T19:54:00.438Z"},{"id":3658106,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices:\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities and exploits in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-09T16:49:53.704Z"},{"id":3658104,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices:\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities in vendor software.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-09T16:37:55.374Z"},{"id":3658103,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices:\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Zero-day vulnerabilities in vendor software\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-09T16:37:05.053Z"},{"id":3658102,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices:\n    * This includes reports revealing vulnerabilities and exploits disclosed within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-09T16:33:44.475Z"},{"id":3658101,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n    * This includes vulnerabilities and exploits that fall within a standard 30-day patching window.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-09T16:29:07.515Z"},{"id":3652359,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once a vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-17T19:30:48.792Z"},{"id":3650678,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-Based reports requiring a victim to request files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-01T15:10:37.651Z"},{"id":3650673,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-based reports requiring a victim to select files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-Based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-01T14:11:28.776Z"},{"id":3649945,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-based reports requiring a victim to select files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## XSS Policy\n* Stored XSS is classified as Medium-severity.\n* Reflected XSS is classified as Low-severity.\n* XSS on IE only is classified as Informational.\n* POST-based XSS is classified as Not Applicable.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-16T14:07:21.040Z"},{"id":3649839,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* POST-based reports requiring a victim to select files hosted on out-of-scope assets.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-11T18:40:45.550Z"},{"id":3648327,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. **The following issues are considered out of scope:**\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-02T20:58:34.099Z"},{"id":3647722,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\n#### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-13T17:04:07.521Z"},{"id":3647721,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud and privacy related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* hyattconnect.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\n#### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-13T17:02:52.917Z"},{"id":3647720,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\nIf you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n### Target these World of Hyatt accounts for fraud related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* hyattconnect.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\n#### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-13T17:02:10.081Z"},{"id":3647718,"new_policy":"At Hyatt, our purpose to care for people so they can be their best informs our business decisions and growth strategy and is intended to attract and retain top employees, build relationships with guests and create value for shareholders.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously. By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, we hope to continue to raise our already high level of security standards as well as learn from and collaborate with security researchers. If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you! \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope. \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\nWe look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business day\n* Time to triage (from report submit) - 1 business day \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Hyatt.\n* Follow HackerOne's disclosure guidelines.\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.\n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated – to anyone other than Hyatt and HackerOne.\n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt colleagues and contractors cannot participate in this program.\n* You cannot participate in this program if you have been a Hyatt colleague or contractor in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.\n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\nCreate World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"Test\".\n\n### Reservation Requirements\n#### If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled as soon as possible.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Fraud and Privacy Testing\nWe created three accounts you may target to discover privacy and fraud vulnerabilities. These target accounts contain bookings, personal information -- and lots of points. We encourage using these accounts in your testing – but unfortunately, **you cannot keep any points stolen**. Can you discover any PII of these accounts? Stay details? Can you steal the points!? \n#### Target these World of Hyatt accounts for fraud related tests:\n* 540795125Y\n* 535322656B\n* 540941865E\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt.\n\n## In Scope\n### Assets\n* hyatt.com (no additional subdomains unless explicitly mentioned).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* confluence.hyattdev.com.\n* hyattconnect.com.\n* ebsext.oft.hyatt.com.\n* jira.hyattdev.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (not newsroom.hyatt.com).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Access to another guest’s reservation or account.\n* Application bugs that result in unintended room rate changes.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Bypassing account recovery systems at scale.\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Elevating membership tier.\n* Gaining or using World of Hyatt points inappropriately.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Online name changes on an account or award reservation.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n* Personal information of particular interest (e.g., full payment card information, passport information, precise geolocation, etc.).\n    * A combination of multiple data elements can increase the severity.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Any communication with Hyatt colleagues.\n* Attacks against any account other than the specified target accounts.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n* Using stolen points for personal use.\n* Exploitation of our membership partners:\n    * American Airlines AAdvantage®\n    * FIND experiences\n    * Lindblad Expeditions\n    * M life Rewards destinations\n    * Small Luxury Hotels of the World properties\n    * UrCove properties\n    * Any other organization associated with the World of Hyatt\n\n### Vulnerabilities\n#### When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Any activity that could lead to the disruption of our service (DoS).\n* Attacks requiring MITM or physical access to a user's device.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking on pages with no sensitive actions.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.\n* Data entry-based room rate errors.\n* Denial of inventory.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Unauthenticated/logout/login CSRF.\n* Vulnerabilities that cannot be reproduced.\n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.\n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \nThank you for helping keep Hyatt and our guests safe!\nThe term “Hyatt” is used in these materials for convenience to refer to Hyatt Hotels Corporation and/or one or more of its affiliates.\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-13T17:00:12.168Z"},{"id":3647408,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\n#### Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n### Reservation Requirements\n#### If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n### Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* ebsext.oft.hyatt.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (**not newsroom.hyatt.com**).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* www.hyattconnect.com\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-30T18:03:02.838Z"},{"id":3642242,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\n#### Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n### Reservation Requirements\n#### If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n### Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* ebsext.oft.hyatt.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (**not newsroom.hyatt.com**).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-10T18:30:35.367Z"},{"id":3642224,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n### Test Accounts\n#### Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n### Reservation Requirements\n#### If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In-Scope\n### Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* ebsext.oft.hyatt.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (**not newsroom.hyatt.com**).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out-of-Scope\n### Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-10T15:04:43.285Z"},{"id":3642223,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n## Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n## Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In-Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* ebsext.oft.hyatt.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (**not newsroom.hyatt.com**).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n### Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out-of-Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n## SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-10T15:03:31.735Z"},{"id":3637522,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* ebsext.oft.hyatt.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com (**not newsroom.hyatt.com**).\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-18T14:44:15.627Z"},{"id":3637519,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* assets.hyatt.com.\n* ebsext.oft.hyatt.com.\n* meetings.hyatt.com.\n* mobileapp.hyatt.com.\n* newsroom.images.hyatt.com.\n* plannerrequest.hyatt.com.\n* public.hyatt.com.\n* roominglist.hyatt.com.\n* salesportal.hyatt.com.\n* soaext.oft.hyatt.com.\n* sso.oft.hyatt.com.\n* upsell.hyatt.com.\n* world.hyatt.com.\n* www.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-18T14:42:55.476Z"},{"id":3637459,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* newsroom.images.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* meetings.hyatt.com\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-17T13:53:23.271Z"},{"id":3636530,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* newsroom.images.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* New payment page (details within the Scope section below).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other relevant information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-20T21:01:06.807Z"},{"id":3636529,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* newsroom.images.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* New payment page (details within the Scope section below).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on endpoints that do not disclose PII or other important information.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-20T20:57:06.401Z"},{"id":3636527,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* newsroom.images.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* New payment page (details within the Scope section below).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues on non-essential endpoints.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-20T20:54:12.595Z"},{"id":3634557,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (**no additional subdomains unless explicitly mentioned**).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* newsroom.images.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n* 140.95.0.0/16.\n* 213.139.133.32/28.\n* New payment page (details within the Scope section below).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-03T14:16:45.650Z"},{"id":3633921,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n**Due to COVID-19, remediation may take longer than expected.**\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-25T15:58:06.935Z"},{"id":3629535,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-30T20:55:19.379Z"},{"id":3629523,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\nThank you for helping keep Hyatt Hotels and our guests safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-30T17:39:29.396Z"},{"id":3616303,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York City or Chicago properties for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-14T16:50:36.522Z"},{"id":3612572,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (for multiple accounts - \u003chandle\u003eone, \u003chandle\u003etwo, etc.).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York properties or the Hyatt Regency Chicago for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-24T21:04:48.578Z"},{"id":3612568,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n##Testing Requirements\n###Test Accounts\n####Create World of Hyatt test accounts to these specifications:\n* First name: \u003cHackerOne handle\u003e (add numbers to this field if you require multiple accounts).\n* Last name: \"**Test**\".\n\n###Reservation Requirements\n####If you must create bookings for testing purposes, follow these rules:\n* Test bookings should be made four months into the future at a minimum.\n* All test bookings should be canceled **as soon as possible**.\n* Do not book New York properties or the Hyatt Regency Chicago for testing purposes.\n* If possible, add \"HackerOne\" to the comments of bookings.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-24T20:37:39.265Z"},{"id":3610520,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* assets.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-30T13:53:48.368Z"},{"id":3606773,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Limit automation/rate scraping to 100 requests per minute.\n* Cancel all reservations created by test accounts.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-02T16:43:03.870Z"},{"id":3602311,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n*Limit automation/rate scraping to 100 requests per minute.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-07T17:46:37.361Z"},{"id":3600470,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Highly creative means of automating account checking or rate scraping (e.g., botting).\n* Highly creative means of discovering origin IP.\n* Highly creative means of spoofing email messages.\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-14T20:05:31.887Z"},{"id":3600200,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com (no subdomain).\n* www.hyatt.com (no additional subdomains).\n* world.hyatt.com (no additional subdomains).\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Novel Origin IP address discovery.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Novel means of automating account checking or rate scraping (e.g., botting).\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-11T04:12:30.470Z"},{"id":3600199,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* www.hyatt.com.\n* world.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Novel Origin IP address discovery.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Novel means of automating account checking or rate scraping (e.g., botting).\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-11T04:09:37.686Z"},{"id":3600198,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* http(s)://hyatt.com (no subdomains).\n* http(s)://www.hyatt.com.\n* http(s)://world.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Novel Origin IP address discovery.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Novel means of automating account checking or rate scraping (e.g., botting).\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-11T04:06:42.676Z"},{"id":3600197,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* http(s)://hyatt.com (no subdomains).\n* http(s)://www.hyatt.com (no subdomains).\n* http(s)://world.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Novel Origin IP address discovery.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Novel means of automating account checking or rate scraping (e.g., botting).\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-11T04:02:48.980Z"},{"id":3600062,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com.\n* www.hyatt.com.\n* world.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Novel Origin IP address discovery.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Novel means of automating account checking or rate scraping (e.g., botting).\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-09T16:06:46.949Z"},{"id":3600051,"new_policy":"At Hyatt Hotels Corporation, our mission is to provide authentic hospitality by making a difference in the lives of the people we touch every day. In keeping with this mission, we respect fundamental human rights, as embodied in the Universal Declaration of Human Rights.\n\n## Keeping Guests Safe\n\nHyatt takes the security of our guests and colleagues very seriously.  By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.  If you have information about a qualified security vulnerability that is within our predetermined scope, we would love to hear from you!  \n\nIn-scope vulnerabilities will be rewarded based on severity following remediation.  The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.  \n\nBy participating in the Hyatt Bug Bounty program you agree to follow all of the requirements below.\n\nHyatt Hotels looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. \n\n## SLA\nHyatt Hotels will make a best effort to meet the following SLAs for hackers participating in our program:\n\n* Time to first response (from report submit) - 1 business days\n* Time to triage (from report submit) - 1 business days \n* Time to bounty (from triage) - Once vulnerability is remediated, bounty payout will occur\n\n*Critical = 30 days\n*High = 60 days\n*Medium = 90 days\n*Low = N/A\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n## Disclosure Policy\n* Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n##Program Rules and Bounty Eligibility\n* Do not collect any personally identifiable information, authentication information, or credit card information from other Hyatt guests.  \n* Do not destroy or alter discovered data.\n* Do not inappropriately store Hyatt information in public locations i.e., GitHub.\n* Do not intentionally harm other guests as well as their experience.\n* Do not publicly or privately disclose any vulnerabilities belonging to Hyatt - existing or remediated - to anyone other than Hyatt and HackerOne.  \n* Do not contact Hyatt directly about questions regarding HackerOne vulnerabilities or bounties.\n* Current Hyatt employees and contractors cannot participate in this program.\n* You cannot participate in this program if you have been an employee or a contractor of Hyatt in the past six months.\n* Only submit vulnerability reports through the HackerOne platform.  \n* A bounty is only eligible for payout if the exploited vulnerability is not known and can be reproduced. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n##Submission Requirements\n* All vulnerability reports must be filed through the HackerOne platform.\n* Vulnerability reports must meet all of HackerOne’s requirements.\n* https://docs.hackerone.com/programs/submit-report-form.html\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.\n\n## In Scope\n###Assets\n* hyatt.com.\n* www.hyatt.com.\n* world.hyatt.com.\n* m.hyatt.com.\n* Hyatt Hotels Mobile Application (Android \u0026 iOS).\n\n###Vulnerabilities\n* Novel Origin IP address discovery.\n* Authentication bypass.\n* Back-end system access via front-end systems.\n* Business logic bypass resulting in financial gain to an attacker (e.g., forced rate change).\n* Container escape.\n* Discovery of Hyatt data on public cloud storage services.\n* Novel means of automating account checking or rate scraping (e.g., botting).\n* Publicly available cloud systems that may host Hyatt information.\n* SQL Injection.\n* Cross-Site Request Forgery.\n* Exploitable Cross-Site Scripting.\n* WAF bypass.\n\n## Out of Scope\n###Assets\n* Any other Hyatt assets not specifically listed as in-scope.\n* Hotel properties and their physical and networks infrastructure.\n* Hyatt corporate information systems.\n* Third-party companies that perform business transactions for Hyatt employees and contractors.\n\n\n### Vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Vulnerabilities without discernible impact on Hyatt IT systems or guest privacy.\n* Attacks requiring physical access to a user’s device.\n* Attacks requiring physical access to a Hyatt employee, contractor or guest device.\n* Autocomplete on web forms.\n* Clickjacking, unless an effective exploit can be demonstrated.\n* Client browser vulnerabilities.\n* Denial of Service attacks on Hyatt infrastructure.\n* Limited content reflection or content spoofing.\n* Missing best practices.\n* Password and account recovery policies.\n* Password policies, i.e., complexity.\n* Phishing or spear phishing attacks.\n* Rate-limiting issues.\n* Reports originating from automated tools or scanners (e.g., Burp, Acunetix, WebInspect).\n* Self-exploitation.\n* Social engineering attacks.\n* Software version disclosure.\n* SSL / TLS best practices.\n* Vulnerabilities that cannot be reproduced.\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n##SQL Injection Policy\n* Do not alter any data.\n* Do not change or interrupt server or database functionality.\n* Do not destroy any data.\n* Do not read or save sensitive data belonging to guests other than yourself.\n* Blindly counting rows and columns of databases is permissible.  \n* Generating outbound DNS requests is permissible.\n* Listing database names and columns is permissible.\n* Logic responses are permissible.\n\n\n## Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. \n\n\nThank you for helping keep Hyatt Hotels and our users safe!\n\n\n\n\n\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-09T13:30:43.331Z"}]