[{"id":3770808,"new_policy":"#Welcome to the Marriott Bug Bounty Program !\n\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\n#Program Terms\n\nThis Policy governs your participation in Marriott’s Bug Bounty Program and supersedes any conflicting HackerOne terms. By submitting a vulnerability report through HackerOne, you agree to this Policy.\n\nResearchers must:\n\n•\tFollow [HackerOne’s Gold Standard Safe Harbor](https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement?utm_source=chatgpt.com ) pledge  and [Community Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) ;\n•\tAct within the defined rules published on HackerOne; and\n•\tAct within the defined scope published in the Program. \n\n Marriott supports good-faith security research and will honor Safe Harbor protections when rules are followed.\n\n#Scope\n\nPlease review the Scopes tab  to confirm which assets are in-scope and which are out-of-scope for the Marriott Bug Bounty Program.  Any asset not listed in-scope is ineligible for bounty and will be marked N/A.\n\n#Out-of-Scope Submissions \n\n•\t\"Zero Days\" Security flaws that  have released an official patch in the last 31 business days\n•\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\n•\tContent spoofing, iframes, open redirects, CLRF or text injection without  persistent modification or require user interaction \n•\tLeaked tokens, IDs, or cookies without proof of account takeover (ATO)\n•\tNon-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing)\n•\tIntentional service disruption (e.g., DoS)\n•\t MITM attacks requiring access to the physical network or physical location like a hotel or office.\n• Leaked credentials from data stealing malware logs or 3rd party threat intelligence or from purchase cred buy packs.\n\n#Submission Requirements\nTo qualify for a bounty, you first need to meet all the following requirements:\n•\tAgree and adhere to the requirements and conditions outlined in the Program Terms, Scope, Confidentiality and Disclosure, and Legal Sections within this policy;\n•\tStore supporting evidence only within the Submission (i.e., you are prohibited from hosting files on your own device or on external hosting services); \n•\tProvide a detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc);\n•\tProvide proof of the vulnerability (i.e. through screenshots, screen captures, etc);\n•\tSuggest mitigation or remediation actions; and\n•\tProvide your IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\nFailure to adhere to the above minimum guidelines may result in a #reduced reward.\n\n#Rewards\n\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. \nMarriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\nRecipients of rewards are responsible for the payment of all applicable taxes. \n\n#Response Times\n\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. \n\nMarriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n| Marriott Response      | Estimated Response Time                     |\n|------------------------|----------------------------------------------|\n| First Response         | 2 days                                       |\n| Time to Triage         | 5 days                                       |\n| Time to Bounty         | 20 days                                      |\n| Time to Resolution     | Depends on severity and complexity           |\n\n#Confidentiality and Disclosure\n\nResearchers must immediately stop all activity and notify Marriott, through HackerOne, if Researchers:\n\n     • \tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts;\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. \nFor the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. \nMarriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott.\n\n#Legal\n\nMarriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\nMarriott reserves the right to update or terminate the Program at any time; changes are effective upon posting. Please review the Program page regularly for updates.\nMarriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"attacks at our hotels are OOS\"}","{\"platform_standard\":\"LEAKAGE_SENSITIVE_PII\",\"justification\":\"the determination of what is sensitive is subjective to our internal policy which is born out of complex public policy across many jurisdictions. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2026-03-10T14:57:04.417Z"},{"id":3770147,"new_policy":"#Welcome to the Marriott Bug Bounty Program !\n\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\n#Program Terms\n\nThis Policy governs your participation in Marriott’s Bug Bounty Program and supersedes any conflicting HackerOne terms. By submitting a vulnerability report through HackerOne, you agree to this Policy.\n\nResearchers must:\n\n•\tFollow [HackerOne’s Gold Standard Safe Harbor](https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement?utm_source=chatgpt.com ) pledge  and [Community Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) ;\n•\tAct within the defined rules published on HackerOne; and\n•\tAct within the defined scope published in the Program. \n\n Marriott supports good-faith security research and will honor Safe Harbor protections when rules are followed.\n\n#Scope\n\nPlease review the Scopes tab  to confirm which assets are in-scope and which are out-of-scope for the Marriott Bug Bounty Program.  Any asset not listed in-scope is ineligible for bounty and will be marked N/A.\n\n#Out-of-Scope Submissions \n\n•\t\"Zero Days\" Security flaws that  have released an official patch in the last 31 business days\n•\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\n•\tContent spoofing, iframes, open redirects, CLRF or text injection without  persistent modification or require user interaction \n•\tLeaked tokens, IDs, or cookies without proof of account takeover (ATO)\n•\tNon-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing)\n•\tIntentional service disruption (e.g., DoS)\n•\t MITM attacks requiring access to the physical network or physical location like a hotel or office.\nSubmission Requirements\nTo qualify for a bounty, you first need to meet all the following requirements:\n•\tAgree and adhere to the requirements and conditions outlined in the Program Terms, Scope, Confidentiality and Disclosure, and Legal Sections within this policy;\n•\tStore supporting evidence only within the Submission (i.e., you are prohibited from hosting files on your own device or on external hosting services); \n•\tProvide a detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc);\n•\tProvide proof of the vulnerability (i.e. through screenshots, screen captures, etc);\n•\tSuggest mitigation or remediation actions; and\n•\tProvide your IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\nFailure to adhere to the above minimum guidelines may result in a #reduced reward.\n\n#Rewards\n\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. \nMarriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\nRecipients of rewards are responsible for the payment of all applicable taxes. \n\n#Response Times\n\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. \n\nMarriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n| Marriott Response      | Estimated Response Time                     |\n|------------------------|----------------------------------------------|\n| First Response         | 2 days                                       |\n| Time to Triage         | 5 days                                       |\n| Time to Bounty         | 20 days                                      |\n| Time to Resolution     | Depends on severity and complexity           |\n\n#Confidentiality and Disclosure\n\nResearchers must immediately stop all activity and notify Marriott, through HackerOne, if Researchers:\n\n     • \tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts;\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. \nFor the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. \nMarriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott.\n\n#Legal\n\nMarriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\nMarriott reserves the right to update or terminate the Program at any time; changes are effective upon posting. Please review the Program page regularly for updates.\nMarriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":\"attacks at our hotels are OOS\"}","{\"platform_standard\":\"LEAKAGE_SENSITIVE_PII\",\"justification\":\"the determination of what is sensitive is subjective to our internal policy which is born out of complex public policy across many jurisdictions. \"}"],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2026-02-24T16:45:01.851Z"},{"id":3766765,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n Marriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n \n This Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n \n This Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n \n #Submission Requirements\n The following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n \n 1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n 2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n 3.\tSuggested mitigation or remediation actions.\n 4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n \n #Program Terms\n Researchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n \n •\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n •\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n •\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n •\tResearchers must comply with all applicable laws.\n •\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\n o\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\n o\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n \n # Out-of-Scope \n \n• Please report PRIVACY  concerns to privacy@marriott.com. This program is not for marketing, branding, hotel operations and other similar issues. This is a program designed to target applications and machines not proprietary documents. These findings will be closed as not applicable., you will be redirected to privacy@marriott.com.\n •\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files, HTML injection, Phishing, Vishing, Whaling, etc.\n •\tNon-persistent DOM-based and Reflected XSS that only works with user interaction (i.e. clicking link from a phishing email)\n •\tReports from credentials exposed by other data breaches or known credential lists\n•\tAssets located at any  of our 30+ brand's properties , brand websites(fairfieldinandsuites.marriott.com/*) or third-party vendors /partner physical locations/data centers. \n •\tLack of best practices in configuration of protocols or COTS products (Saas, etc).\n •\tClickjacking ,brute forcing, spamming, and DDOS without showing security or financial impact to confidential or private data\n •\tAny activity that is intentionally meant to  disrupt our service (DoS)\n •\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n •\tAttacks requiring MITM or physical access to a user's device\n •\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n •\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n •  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n • Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n • Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n • Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n \n #Rewards\n Rewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n \n #Response Times\n Marriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n \n \n | Marriott Response | Estimated Response Time| \n |----------|--------------------|\n |  First Response | 2 days | \n | Time to Triage   | 5 days |\n | Time to  Bounty   | 20 days |\n |  Time to Resolution   | Depends on severity and complexity |\n \n #Confidentiality and Disclosure\n \n Unless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n \n Thank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-12-01T15:50:09.029Z"},{"id":3766354,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n Marriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n \n This Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n \n This Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n \n #Submission Requirements\n The following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n \n 1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n 2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n 3.\tSuggested mitigation or remediation actions.\n 4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n \n #Program Terms\n Researchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n \n •\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n •\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n •\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n •\tResearchers must comply with all applicable laws.\n •\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\n o\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\n o\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n \n # Out-of-Scope Activities\n \n• Please report PRIVACY  concerns to privacy@marriott.com. This program is not for marketing, branding, hotel operations and other similar issues. This is a program designed to target applications and machines not proprietary documents. These findings will be closed as not applicable., you will be redirected to privacy@marriott.com.\n •\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files, HTML injection, Phishing, Vishing, Whaling, etc.\n •\tNon-persistent DOM-based and Reflected XSS that only works with user interaction (i.e. clicking link from a phishing email)\n •\tReports from credentials exposed by other data breaches or known credential lists\n•\tAssets located at any  of our 30+ brand's properties , brand websites(fairfieldinandsuites.marriott.com/*) or third-party vendors /partner physical locations/data centers. \n •\tLack of best practices in configuration of protocols or COTS products (Saas, etc).\n •\tClickjacking on pages without confidential activities \n •\tAny activity that is intentionally meant to  disrupt our service (DoS)\n •\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n •\tAttacks requiring MITM or physical access to a user's device\n •\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n •\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n •  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n • Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n • Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n • Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n \n #Rewards\n Rewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n \n #Response Times\n Marriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n \n \n | Marriott Response | Estimated Response Time| \n |----------|--------------------|\n |  First Response | 2 days | \n | Time to Triage   | 5 days |\n | Time to  Bounty   | 20 days |\n |  Time to Resolution   | Depends on severity and complexity |\n \n #Confidentiality and Disclosure\n \n Unless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n \n Thank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-11-19T16:59:57.435Z"},{"id":3766353,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n Marriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n \n This Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n \n This Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n \n #Submission Requirements\n The following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n \n 1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n 2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n 3.\tSuggested mitigation or remediation actions.\n 4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n \n #Program Terms\n Researchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n \n •\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n •\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n •\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n •\tResearchers must comply with all applicable laws.\n •\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\n o\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\n o\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n \n # Out-of-Scope Activities\n \n-The following may be considered out of scope and may be marked informative and/or not eligible for payment:\n- ***POSTMAN Basic and Professional related API credential leaks will not be rewarded but will be accepted as we work to resolve the known issue internally***** February 29, 2024\n-\n o\t\"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n+• Please report PRIVACY  concerns to privacy@marriott.com. This program is not for marketing, branding, hotel operations and other similar issues. This is a program designed to target applications and machines not proprietary documents. These findings will be closed as not applicable., you will be redirected to privacy@marriott.com.\n •\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files, HTML injection, Phishing, Vishing, Whaling, etc.\n •\tNon-persistent DOM-based and Reflected XSS that only works with user interaction (i.e. clicking link from a phishing email)\n •\tReports from credentials exposed by other data breaches or known credential lists\n-•\tReports from automated tools or scans\n-•\tAssets located at any Marriott properties or third-party vendors for properties\n+•\tAssets located at any  of our 30+ brand's properties , brand websites(fairfieldinandsuites.marriott.com/*) or third-party vendors /partner physical locations/data centers. \n •\tLack of best practices in configuration of protocols or COTS products (Saas, etc).\n •\tClickjacking on pages without confidential activities \n •\tAny activity that is intentionally meant to  disrupt our service (DoS)\n •\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n •\tAttacks requiring MITM or physical access to a user's device\n •\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n •\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n •  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n • Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n • Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n • Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n \n #Rewards\n Rewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n \n #Response Times\n Marriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n \n \n | Marriott Response | Estimated Response Time| \n |----------|--------------------|\n |  First Response | 2 days | \n | Time to Triage   | 5 days |\n | Time to  Bounty   | 20 days |\n |  Time to Resolution   | Depends on severity and complexity |\n \n #Confidentiality and Disclosure\n \n Unless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n \n Thank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-11-19T16:56:43.675Z"},{"id":3765687,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program. To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. \n\n❌#Out-of-Scope (OOS) Submissions\n#Not eligible for bounty payments:\n\n\t1. Assets at brand properties, brand websites (e.g., fairfieldinnandsuites.marriott.com/*), or third-party vendor locations.\n\t2. \"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be  \n          eligible for bounty payments.\n\t3. Web Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\n\t4. Reports based on leaked findings from forums or third-party sources unrelated to Marriott assets.\n\t5. Content spoofing or text injection without HTML/CSS modification or attack vector.\n\t6. Leaked tokens, IDs, or cookies without proof of standalone account takeover (ATO).\n\t7. Non-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing).\n\t8. Reports based on credentials from third-party breaches or known credential lists.\n\t9. Lack of best practices in protocol or COTS product configurations (e.g., SaaS).\n\t10. Privacy-related reports: Submit to privacy@marriott.com.\n\t11. Clickjacking on pages without sensitive user actions.\n\t12. Vulnerabilities in assets owned by a vendor.\n\t13. Intentional service disruption (e.g., DoS).\n\t14. CRLF injection requiring user interaction (e.g., phishing link).\n\t15. Attacks requiring MITM or physical device access.\n    16. Open Redirects without credential/key theft.\n    17. Leaked Credentials from OSINT scraping, password dumps, and third-party \n            breaches will be accepted for awareness but are NOT eligible for \n            bounties. \n\n#In-Scope Submissions\nPlease review our detailed scope list\n\n#Rewards\nRewards are calculated by inserting the CVSS score of your report into our internal calculator.  Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-11-06T20:36:21.066Z"},{"id":3765686,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program. To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. \n\n❌#Out-of-Scope (OOS) Submissions\n#Not eligible for bounty payments:\n\n\t1. Assets at brand properties, brand websites (e.g., fairfieldinnandsuites.marriott.com/*), or third-party vendor locations.\n\t2. \"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be  \n          eligible for bounty payments.\n\t3. Web Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\n\t4. Reports based on leaked findings from forums or third-party sources unrelated to Marriott assets.\n\t5. Content spoofing or text injection without HTML/CSS modification or attack vector.\n\t6. Leaked tokens, IDs, or cookies without proof of standalone account takeover (ATO).\n\t7. Non-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing).\n\t8. Reports based on credentials from third-party breaches or known credential lists.\n\t9. Lack of best practices in protocol or COTS product configurations (e.g., SaaS).\n\t10. Privacy-related reports: Submit to privacy@marriott.com.\n\t11. Clickjacking on pages without sensitive user actions.\n\t12. Vulnerabilities in assets owned by a vendor.\n\t13. Intentional service disruption (e.g., DoS).\n\t14. CRLF injection requiring user interaction (e.g., phishing link).\n\t15. Attacks requiring MITM or physical device access.\n    16. Open Redirects without credential/key theft.\n    17. Leaked Credentials from OSINT scraping, password dumps, and third-party \n            party breaches will be accepted for awareness but are NOT eligible for \n            bounties. \n\n#In-Scope Submissions\nPlease review our detailed scope list\n\n#Rewards\nRewards are calculated by inserting the CVSS score of your report into our internal calculator.  Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-11-06T20:35:05.091Z"},{"id":3765685,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program. To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. \n\n❌#Out-of-Scope (OOS) Submissions\n#Not eligible for bounty payments:\n\n\t1. Assets at brand properties, brand websites (e.g., fairfieldinnandsuites.marriott.com/*), or third-party vendor locations.\n\t2. \"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be  \n          eligible for bounty payments.\n\t3. Web Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\n\t4. Reports based on leaked findings from forums or third-party sources unrelated to Marriott assets.\n\t5. Content spoofing or text injection without HTML/CSS modification or attack vector.\n\t6. Leaked tokens, IDs, or cookies without proof of standalone account takeover (ATO).\n\t7. Non-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing).\n\t8. Reports based on credentials from third-party breaches or known credential lists.\n\t9. Lack of best practices in protocol or COTS product configurations (e.g., SaaS).\n\t10. Privacy-related reports: Submit to privacy@marriott.com.\n\t11. Clickjacking on pages without sensitive user actions.\n\t12. Vulnerabilities in assets owned by a vendor.\n\t13. Intentional service disruption (e.g., DoS).\n\t14. CRLF injection requiring user interaction (e.g., phishing link).\n\t15. Attacks requiring MITM or physical device access.\n    16. Open Redirects without credential/key theft.\n    17. Leaked Credentials from OSINT scraping, password dumps, and third-party \n            party breaches will be accepted for awareness but are NOT eligible for \n            bounties. \n\n#In-Scope Submissions\nPlease review our detailed scope list\n\n#Rewards\nRewards are calculated by inserting the CVSS score of your report into our internal calculator.  Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-11-06T20:34:32.180Z"},{"id":3765682,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program. To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. \n\n❌#Out-of-Scope (OOS) Submissions\n#Not eligible for bounty payments:\n\n\t1. Assets at brand properties, brand websites (e.g., fairfieldinnandsuites.marriott.com/*), or third-party vendor locations.\n\t2. \"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be  \n          eligible for bounty payments.\n\t3. Web Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\n\t4. Reports based on leaked findings from forums or third-party sources unrelated to Marriott assets.\n\t5. Content spoofing or text injection without HTML/CSS modification or attack vector.\n\t6. Leaked tokens, IDs, or cookies without proof of standalone account takeover (ATO).\n\t7. Non-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing).\n\t8. Reports based on credentials from third-party breaches or known credential lists.\n\t9. Lack of best practices in protocol or COTS product configurations (e.g., SaaS).\n\t10. Privacy-related reports: Submit to privacy@marriott.com.\n\t11. Clickjacking on pages without sensitive user actions.\n\t12. Vulnerabilities in assets owned by a vendor.\n\t13. Intentional service disruption (e.g., DoS).\n\t14. CRLF injection requiring user interaction (e.g., phishing link).\n\t15. Attacks requiring MITM or physical device access.\n    16. Open Redirects without credential/key theft.\n\n#In-Scope Submissions\nPlease review our detailed scope list\n\n#Rewards\nRewards are calculated by inserting the CVSS score of your report into our internal calculator.  Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-11-06T20:19:22.959Z"},{"id":3765184,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program. To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. \n\n❌#Out-of-Scope (OOS) Submissions\n#Not eligible for bounty payments:\n\nAssets at brand properties, brand websites (e.g., fairfieldinnandsuites.marriott.com/*), or third-party vendor locations.\nWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files and HTML injection\nReports based on leaked findings from forums or third-party sources unrelated to Marriott assets.\nContent spoofing or text injection without HTML/CSS modification or attack vector.\nLeaked tokens, IDs, or cookies without proof of standalone account takeover (ATO).\nNon-persistent DOM-based and Reflected XSS requiring user interaction (aka Phishing).\nReports based on credentials from third-party breaches or known credential lists.\nLack of best practices in protocol or COTS product configurations (e.g., SaaS).\nPrivacy-related reports: Submit to privacy@marriott.com.\nClickjacking on pages without sensitive user actions.\nVulnerabilities in assets owned by a vendor.\nIntentional service disruption (e.g., DoS).\nCRLF injection requiring user interaction (e.g., phishing link).\nAttacks requiring MITM or physical device access.\nOpen Redirects without credential/key theft.\n\n#In-Scope Submissions\nPlease review our detailed scope list\n\n#Rewards\nRewards are calculated by inserting the CVSS score of your report into our internal calculator.  Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. \n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Name of Companies Similar to but Unrelated to Marriott.\",\"details\":\"Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites.\"}"],"timestamp":"2025-10-27T14:46:45.542Z"},{"id":3761066,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\no\t\"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n• Please report PRIVACY  concerns to privacy@marriott.com. This program is not for marketing, branding, hotel operations and other similar issues. This is a program designed to target applications and machines not proprietary documents. These findings will be closed as not applicable., you will be redirected to privacy@marriott.com.\n•\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files, HTML injection, Phishing, Vishing, Whaling, etc.\n•\tNon-persistent DOM-based and Reflected XSS that only works with user interaction (i.e. clicking link from a phishing email)\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tAssets located at any  of our 30+ brand's properties , brand websites(fairfieldinandsuites.marriott.com/*) or third-party vendors /partner physical locations/data centers. \n•\tLack of best practices in configuration of protocols or COTS products (Saas, etc).\n•\tClickjacking on pages without confidential activities \n•\tAny activity that is intentionally meant to  disrupt our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n•  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n• Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n• Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n• Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-13T15:48:37.351Z"},{"id":3754091,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\nThe following may be considered out of scope and may be marked informative and/or not eligible for payment:\n ***POSTMAN Basic and Professional related API credential leaks will not be rewarded but will be accepted as we work to resolve the known issue internally***** February 29, 2024\n\no\t\"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n•\tWeb Cache Poisoning, DOM-Based XSS, Reflected XSS, UI redressing via custom .html files, HTML injection, Phishing, Vishing, Whaling, etc.\n•\tNon-persistent DOM-based and Reflected XSS that only works with user interaction (i.e. clicking link from a phishing email)\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third-party vendors for properties\n•\tLack of best practices in configuration of protocols or COTS products (Saas, etc).\n•\tClickjacking on pages without confidential activities \n•\tAny activity that is intentionally meant to  disrupt our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n•  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n• Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n• Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n• Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-21T18:50:54.135Z"},{"id":3752281,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\nThe following may be considered out of scope and may be marked informative and/or not eligible for payment:\n ***POSTMAN Basic and Professional related API credential leaks will not be rewarded but will be accepted as we work to resolve the known issue internally***** February 29, 2024\n\no\t\"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files, HTML injection, Phishing, Vishing, Whaling, etc.\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third-party vendors for properties\n•\tLack of best practices in configuration of protocols or COTS products (Saas, etc).\n•\tClickjacking on pages without confidential activities \n•\tAny activity that is intentionally meant to  disrupt our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n•  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n• Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n• Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n• Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-24T18:15:59.760Z"},{"id":3713618,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\nThe following may be considered out of scope and may be marked informative and/or not eligible for payment:\n ***POSTMAN Basic and Professional related API credential leaks will not be rewarded but will be accepted as we work to resolve the known issue internally***** February 29, 2024\n\no\t\"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third-party vendors for properties\n•\tMissing best practices in SSL/TLS configuration\n•\tClickjacking on pages with no sensitive actions\n•\tAny activity that is intentionally meant to  disrupt of our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n•  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n• Submitted reports with leaked findings from forums and third party sources that are not the afflicted asset. \n• Vulnerabilities on \"house name\" vendor products that Marriott International is a customer of will not be accepted. The reports for the affected asset should be sent to the company that manages the infrastructure, not to the assumed customer. \n• Reports received for leaked tokens, IDs, cookies without valid proof that these alone (without username/password) provide Account takeover will not be accepted (ATO)\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-05T11:57:22.339Z"},{"id":3713617,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n1.\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n2.\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n3.\tSuggested mitigation or remediation actions.\n4.\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in or submit tickets requiring social engineering, phishing,  or network-based denial of service attacks .\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\nThe following may be considered out of scope and may be marked informative and/or not eligible for payment:\n ***POSTMAN Basic and Professional related API credential leaks will not be rewarded but will be accepted as we work to resolve the known issue internally***** February 29, 2024\n\no\t\"Zero Days\" Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third-party vendors for properties\n•\tMissing best practices in SSL/TLS configuration\n•\tClickjacking on pages with no sensitive actions\n•\tAny activity that is intentionally meant to  disrupt of our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to controlled username/password/key theft .\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n•  Insecure Direct Object Reference (IDOR) with Unpredictable IDs are not accepted. \n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-05T11:27:05.013Z"},{"id":3713442,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n•\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n•\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n•\tSuggested mitigation or remediation actions.\n•\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in social engineering (i.e. phishing) or denial of service attacks.\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\nThe following may be considered out of scope and may be marked informative and/or not eligible for payment:\n ***POSTMAN Basic and Professional related API credential leaks will not be rewarded but will be accepted as we work to resolve the known issue internally***** February 29, 2024\n•\tZero Days, Common Vulnerabilities and Exposures\no\tSecurity flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\no\tSecurity flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\no\tSecurity flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third-party vendors for properties\n•\tMissing best practices in SSL/TLS configuration\n•\tClickjacking on pages with no sensitive actions\n•\tAny activity that is intentionally meant to  disrupt of our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to other credential leakage or some other compromise\n•\tUse of outdated software versions\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-29T18:23:31.016Z"},{"id":3709704,"new_policy":"#Welcome to the Marriott Bug Bounty Program\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\n\nThis Policy, and the  HackerOne Community Member Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are encouraged to participate in the Program, but they are not eligible for bounty payments.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n•\tA detailed summary of the exploit or chain of exploits, including: (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n•\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n•\tSuggested mitigation or remediation actions.\n•\tYour IP address, the dates you identified the potential vulnerability and performed testing, the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not deliberately disrupt, compromise or otherwise damage assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in social engineering (i.e. phishing) or denial of service attacks.\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne,  if Researchers:\no\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tInadvertently disrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n# Out-of-Scope Activities\n\nThe following may be considered out of scope and may be marked informative and/or not eligible for payment:\n \n•\tZero Days, Common Vulnerabilities and Exposures\no\tSecurity flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\no\tSecurity flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\no\tSecurity flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third-party vendors for properties\n•\tMissing best practices in SSL/TLS configuration\n•\tClickjacking on pages with no sensitive actions\n•\tAny activity that is intentionally meant to  disrupt of our service (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to other credential leakage or some other compromise\n•\tUse of outdated software versions\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards, but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n\n| Marriott Response | Estimated Response Time| \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\n#Confidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-20T19:53:46.010Z"},{"id":3709695,"new_policy":"#Welcome to the Marriott Bug Bounty Program\n\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\nThis Policy, and the HackerOne Finder Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are not eligible to participate in the Program.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n•\tA detailed summary of the exploit or chain of exploits, including (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n•\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n•\tSuggested mitigation or remediation actions.\n•\tYour IP address, the dates you identified the potential vulnerability and performed testing,  the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not disrupt, compromise or otherwise damage or disrupt assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in social engineering (i.e. phishing) or denial of service attacks.\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne, and agree to assist Marriott as needed, if Researchers:\n•\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tDisrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Out-of-Scope Activities \n\nThe following may be considered out of scope and will be marked informative and/or not eligible for payment. \n\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third party vendors for properties\n•\tMissing best practices in SSL/TLS configuration\n•\tClickjacking on pages with no sensitive actions\n•\tAny activity that could lead to the disruption of our services (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to other credential leakage or some other compromise\n•\tUse of outdated software versions\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 15 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\nConfidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-20T19:11:25.716Z"},{"id":3709694,"new_policy":"The Marriott Group, which includes Marriott International, Inc., Starwood Hotels and Resorts Worldwide, LLC, and each of their affiliates (collectively, \"Marriott\") may provide rewards to eligible reporters of qualifying vulnerabilities.  To accurately gauge eligibility and reward amounts, Marriott will consider the application affected, how easily or likely the vulnerability could be exploited, and the overall security impact of the issue.\n\n•\tMarriott reserves the right to determine eligibility. It is in Marriott's sole discretion to determine if a vulnerability meets the minimum severity threshold and whether it was previously reported or known by Marriott.\n•\tMarriott reserves the right to determine the severity of the vulnerability and the corresponding reward amount. \n•\tRewards are granted entirely at the discretion of Marriott.\n\n#Welcome to the Marriott Bug Bounty Program\n\nMarriott takes cybersecurity seriously. Individuals that participate in the Program by responsibly researching (\"Researchers\") and reporting vulnerabilities help us to ensure the security and privacy of our customers and data.\nThis Policy, and the HackerOne Finder Terms and Conditions and Code of Conduct, apply to your participation in Marriott’s Bug Bounty program (the \"Program\"). To the extent this Policy conflicts with any HackerOne policy, terms, rules or guidelines, this Policy will govern. When you submit a potential vulnerability report through HackerOne (\"Submission\"), you acknowledge that you have read and agreed to this Policy. Marriott may revise this Policy or terminate the Program at any time. You should check this site regularly for updates to our Program terms and eligibility, which are effective upon posting. Researchers must be at least 18 years of age to be eligible for a reward under the Program.\n\nThis Policy only applies to the entities listed above. It does not apply to: Marriott Vacations Worldwide, Ritz Carlton Yacht Club, Yacht Collection Marriott Vacations Clubs, Vistana, Interval International, Marriott Co. Financial, Interval Leisure Group, or Martiz Websites. These are separate companies and legal entities. Marriott employees and vendors are not eligible to participate in the Program.\n\n#Submission Requirements\nThe following outlines the key requirements for Submissions. All supporting evidence should only be stored within the Submission; you are prohibited from hosting files on your own device or on external hosting services. Failure to adhere to the minimum guidelines for Submissions may result in a reduced reward. Please provide as part of the Submission:\n\n•\tA detailed summary of the exploit or chain of exploits, including (i) type of issue; (ii) validation of company that owns the asset (this can be done via WHOIS records by emailing: domain.administrator@marriott.com); (iii) product, version and configuration, where applicable; and (iv) list of impacted assets (i.e. websites, applications, software, etc). \n•\tProof of the vulnerability (i.e. through screenshots, screen captures, etc).\n•\tSuggested mitigation or remediation actions.\n•\tYour IP address, the dates you identified the potential vulnerability and performed testing,  the web browser, testing tools, and mobile app version used during testing.\n\n#Program Terms\nResearchers will not be deemed to be in breach of applicable Marriott provisions or terms which may prohibit copying, reverse engineering, modifying, and other prohibitions related to Marriott data, assets, services or other property if Researchers comply fully with this Policy and all actions are performed as good-faith security research. Specifically, Researchers must adhere to the following Program terms:\n\n•\tResearchers may not disrupt, compromise or otherwise damage or disrupt assets, accounts, devices, services or other property owned, controlled or provided by Marriott, its partners, customers, employees, franchisees, vendors or other party directly or indirectly affiliated with Marriott. This includes a prohibition on: (i) downloading, copying, disclosing, destroying, altering, or using any proprietary, confidential or other data belonging to Marriott or others; and (ii) hacking, penetrating, uploading viruses or backdoors or attempting to gain access to Marriott applications, systems or data in violation of this Policy.\n•\tResearchers may not engage in social engineering (i.e. phishing) or denial of service attacks.\n•\tResearchers may not use brute force credentials or guessing credentials to gain access; change passwords of any account that is not Researcher's account or that Researcher does not have explicit permission to change; or mass create accounts to perform testing.\n•\tResearchers must comply with all applicable laws.\n•\tResearchers must immediately stop all activity and notify Marriott, through HackerOne, and agree to assist Marriott as needed, if Researchers:\n•\tAccess any personal or confidential data related to Marriott, or its customers, employees, or other affiliated parties, or otherwise the data or accounts of others, except when Researchers have been provided express permission to access such accounts; Researchers should not use or disclose the data without the express permission of Marriott; or\no\tDisrupt or compromise any Marriott service or the service of a Marriott affiliate.\n\n#Out-of-Scope Activities \n\nThe following may be considered out of scope and will be marked informative and/or not eligible for payment. \n\n•\tWeb Cache Poisoning, Reflected XSS, UI redressing via custom .html files\n•\tReports from credentials exposed by other data breaches or known credential lists\n•\tReports from automated tools or scans\n•\tAssets located at any Marriott properties or third party vendors for properties\n•\tMissing best practices in SSL/TLS configuration\n•\tClickjacking on pages with no sensitive actions\n•\tAny activity that could lead to the disruption of our services (DoS)\n•\tCRLF that requires user interaction (i.e. clicking on a link from a phishing email)\n•\tAttacks requiring MITM or physical access to a user's device\n•\tOpen Re-direct Issues without linking to other credential leakage or some other compromise\n•\tUse of outdated software versions\n•\tContent spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#Rewards\nRewards are calculated based on the CVSS score assigned to the Submission and are at the sole discretion of Marriott. Marriott aims for consistent rewards but previous reports or reward amounts should not be considered a precedent and should not be used to negotiate a higher reward. Recipients of rewards are responsible for the payment of all applicable taxes. Marriott may be prohibited from issuing a reward if the reporter is: (i) a citizen or resident of an embargoed country; or (ii) on the US Treasury Department list of Specialty Designated Nations or the US Department of Commerce Denied Persons or Entity List, or any other restricted party list.\n\n#Response Times\nMarriott understands the importance of the efforts of Researchers reporting vulnerabilities, as they regularly make valuable contributions to Marriott and the broader community. We take each Submission seriously and will investigate and take appropriate steps to resolve reported vulnerabilities. Marriott will use its best efforts to meet the following timelines related to Submissions and to keep reporters informed throughout the process:\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 15 days |\n|  Time to Resolution   | Depends on severity and complexity |\n\nConfidentiality and Disclosure\n\nUnless expressly provided in writing by Marriott, all Submissions and related information must be kept confidential and may not be shared outside of the Program. For the protection of our customers, Marriott does not publicly disclose, discuss or confirm security matters before comprehensively investigating, diagnosing and fixing any known issues. Marriott does not permit any public disclosure about the Program or Submissions. Do not discuss or write about any potential, current or resolved vulnerabilities without express consent from Marriott. \n\nThank you for helping protect Marriott’s systems, data and customers.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-20T19:08:05.995Z"},{"id":3709108,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of \"one\" exploit or \"chain\" of exploits, including type of issue; company that owns the asset via WHOIS records; product; version; and configuration of any software, as appropriate;\n2.\tProof of the vulnerability [screenshots/screen captures]\n3.\tSuggested mitigation or remediation actions, \n4.\tList of affected external components, websites, apps, Saas environment etc. \n5. It would also help the process go quicker if you provide your IP address, the dates you were performing testing [if not already apparent in your screenshot proof], the web browser, testing tools, and mobile app version used during testing. \n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n\n* Please do not test assets represented by CityExpress, Marriott Vacations Worldwide, Ritz Carlton Yacht Club or Yacht Collection,Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group, and Martiz Websites.  These are separate legal entities. \n\n*All supporting evidence be stored only within the report you submit or on our local device. Do not host any files on external hosting services. \n\nNOTE: Failure to adhere to these minimum professional guidelines for submitting a report will result in a reduced reward.  Multiple occurrences or locations of the same vulnerability in an asset caused by one underlying component fault [outdated software, misconfigured software, etc] will be awarded one bounty.\n\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned \n*Leaked Credentials\n* Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity | 2 -90 business days \n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n* Validation of credentials is prohibited.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-11T16:49:38.407Z"},{"id":3703930,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of \"one\" exploit or \"chain\" of exploits, including: type of issue; company that owns the asset via WHOIS records; product; version; and configuration of any software, as appropriate;\n2.\tProof of the vulnerability [screenshots/screen captures]\n3.\tSuggested mitigation or remediation actions, \n4.\tList of affected external components, websites, apps, Saas environment's etc. \n5. It would also help the process go quicker if you provide your IP address, the dates you were performing testing [if not already apparent in your screenshot proof], the web browser, testing tools, and mobile app version used during testing. \n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Ritz Carlton Yacht Club or Yacht Collection Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group, and Martiz Websites.  These are separate companies and legal entities. \n\n*All supporting evidence be stored only within the report you submit or on our local device. Do not host any files on external hosting services. \n\nNOTE: Failure to adhere to these minimum professional guidelines for submitting a report will result in a reduced reward.  Multiple occurrences or locations of the same vulnerability in an asset caused by one underlying component fault [outdated software, misconfigured software, etc] will be awarded one bounty.\n\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned \n*Leaked Credentials\n* Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity | 2 -90 business days \n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n* Validation of credentials is prohibited.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-28T16:25:19.762Z"},{"id":3684236,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of \"one\" exploit or \"chain\" of exploits, including: type of issue; company that owns the asset via WHOIS records; product; version; and configuration of any software, as appropriate;\n2.\tProof of the vulnerability [screenshots/screen captures]\n3.\tSuggested mitigation or remediation actions, \n4.\tList of affected external components, websites, apps, Saas environment's etc. \n5. It would also help the process go quicker if you provide your IP address, the dates you were performing testing [if not already apparent in your screenshot proof], the web browser, testing tools, and mobile app version used during testing. \n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Ritz Carlton Yacht Club or Yacht Collection Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group, and Martiz Websites.  These are separate companies and legal entities. \n\n*All supporting evidence be stored only within the report you submit or on our local device. Do not host any files on external hosting services. \n\nNOTE: Failure to adhere to these minimum professional guidelines for submitting a report will result in a reduced reward.  Multiple occurrences or locations of the same vulnerability in an asset caused by one underlying component fault [outdated software, misconfigured software, etc] will be awarded one bounty.\n\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned \n* Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity | 2 -90 business days \n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n* Validation of credentials is prohibited.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-03T14:59:43.439Z"},{"id":3684235,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of \"one\" exploit or \"chain\" of exploits, including: type of issue; company that owns the asset via WHOIS records; product; version; and configuration of any software, as appropriate;\n2.\tProof of the vulnerability [screenshots/screen captures]\n3.\tSuggested mitigation or remediation actions, \n4.\tList of affected external components, websites, apps, Saas environment's etc. \n5. It would also help the process go quicker if you provide your IP address, the dates you were performing testing [if not already apparent in your screenshot proof], the web browser, testing tools, and mobile app version used during testing. \nNOTE: Failure to adhere to these minimum professional guidelines for submitting a report will result in a reduced reward. \n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned \n* Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Additional Guidelines for submission:\n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please do not test assets owned by Marriott Vacations Worldwide, Ritz Carlton Yacht Club or Yacht Collection Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group, and Martiz Websites.  These are separate companies and legal entities. \n\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity | 2 -90 business days \n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n* Validation of credentials is prohibited.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-03T14:53:52.409Z"},{"id":3682269,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned \n* Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-20T09:09:13.548Z"},{"id":3682156,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned Devices \n* Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-18T21:21:05.901Z"},{"id":3681844,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n*** Web Cache Poisoning - Reflected XSS  - UI Redressing via custom .html files\n* Other Marriott Owned Devices  - Assets located at any of our properties or 3rd party vendors for properties.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-10T16:25:53.129Z"},{"id":3681563,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n\n*****From 12/29/2022 until further notice, all domains are out of scope except www.marriott.com*****\n\n*** Web Cache Poisoning -Reflected XSS  - UI Redressing via custom .html files\n\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n\n*Validate WHOIS registration data to make sure that technical abuse contact is. domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-30T03:14:38.454Z"},{"id":3680101,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.\n***Reflected XSS on *.marriott.com because it generally requires user interaction [phishing] or specially crafted html files\n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-18T14:47:33.342Z"},{"id":3676289,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n\n# CVE-2021-44228 and related Log4j vulnerabilities\n* Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021\n* Marriott will begin rewarding eligible reports at 100%  total beginning January 31, 2022\n\n\n\n# Out of Scope - These will be marked informative and/or not be issued payment.\n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.\n***Reflected XSS on *.marriott.com because it generally requires user interaction [phishing] or specially crafted html files\n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-18T19:35:15.276Z"},{"id":3672276,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n\n# CVE-2021-44228 and related Log4j vulnerabilities\n* Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021\n* Marriott will begin rewarding eligible reports at 100%  total beginning January 31, 2022\n\n\n\n# Out of Scope - These will be marked informative \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.\n***Reflected XSS on *.marriott.com because generally require user interaction[phishing] or specially crafted html files\n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-01T19:11:43.043Z"},{"id":3670167,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n\n# CVE-2021-44228 and related Log4j vulnerabilities\n* Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021\n* Marriott will begin rewarding eligible reports at 100%  total beginning January 31, 2022\n\n\n\n# Out of Scope - These will be marked informative \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n* Validation of credentials is prohibited.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-22T16:24:26.782Z"},{"id":3663383,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n\n# CVE-2021-44228 and related Log4j vulnerabilities\n* Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021\n* Marriott will begin rewarding eligible reports at 100%  total beginning January 31, 2022\n\n\n\n# Out of Scope - These will be marked informative \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n*** Web Cache Poisoning - We are aware of a misconfiguration in our CDN . We will fix by February and then continue allowing submissions of this type.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction ie, clicking on a link from a phishing email\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-23T14:07:11.936Z"},{"id":3663164,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n# Marriott CVE Policy\n* Security flaws that have an official patch for less than 30 days from the date of patch availability will not be eligible for bounty payments.\n* Security flaws that have updates available between 30-60 days will be paid at 50% total eligibility.\n* Security flaws with updates available for more than 60 will be paid at 100% total eligibility.\n\n\n# CVE-2021-44228 and related Log4j vulnerabilities\n* Marriott will begin rewarding eligible reports at 25% total beginning December 27, 2021\n* Marriott will begin rewarding eligible reports at 100%  total beginning January 31, 2022\n\n\n\n# Out of Scope - These will be marked informative \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Web cache or Cache poisoning issues that don't lead to confidential data leak or account takeover. \n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T23:51:22.256Z"},{"id":3662235,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope - These will be marked informative \n\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n* Other Marriott-owned devices  - Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Web cache or Cache poisoning issues that don't lead to confidential data leak or account takeover. \n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-29T12:36:53.507Z"},{"id":3661699,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope - These will be marked informative \n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n*Assets located at any of our hotels, condos, apartments, or convention centers\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Web cache or Cache poisoning issues that don't lead to confidential data leak or account takeover. \n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-15T15:51:26.215Z"},{"id":3661354,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope - These will be marked informative \n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n*Attacks on hotel infrastructure IPs.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Web cache or Cache poisoning issues that don't lead to confidential data leak or account takeover. \n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-08T22:39:44.569Z"},{"id":3661054,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n*Attacks on hotel infrastructure IPs.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 20 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-03T18:55:18.994Z"},{"id":3659018,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n*Attacks on hotel infrastructure IPs.\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 10 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-29T18:02:17.914Z"},{"id":3657797,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 10 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-02T01:38:39.101Z"},{"id":3657745,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Rewards \nMarriott International may provide rewards to eligible reporters of qualifying vulnerabilities.   Reward amounts may vary depending upon the severity of the vulnerability reported.  Additionally, in order to accurately gauge how much a vulnerability is worth, Marriott will consider the application affected, ease or likelihood of exploit-ability, and the overall security impact of the issue.  \n\nMarriott reserves the right to decide if the minimum severity threshold is met and whether it was previously reported or known by Marriott.  Rewards are granted entirely at the discretion of Marriott.\n\n| Low | Medium | High | Critical |  \n|-----|---------|-------|-------|\n|  $300 | $800 | $4,000 | $10,000 |\n\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 10 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-01T16:43:08.149Z"},{"id":3657742,"new_policy":"# Welcome to the Marriott Bug Bounty program. \nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously.  The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.  \n\nExcept as modified by these terms of Marriott’s bounty program, the [HackerOne Finder Terms and Conditions](https://www.hackerone.com/terms/finder) and [Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) apply to your participation in Marriott’s bounty program.  By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms).  Marriott may revise the Program Terms or terminate the bounty program at any time.  Marriott’s bounty program intakes bugs discovered by members of the cybersecurity community. Researchers' identities and vulnerability details are not disclosed.\n \n\n# Submission Requirements\n\n1.\tA detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate; \n\n2.\tEstimated severity and/or impact of the issue, if any;\n\n3.\tSuggested mitigation or remediation actions, if appropriate; and \n\n4.\tReport must not contain results from automated scanners\n\n\n\n# Out of Scope\n* Please do not test assets owned by Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Marriott Co Financial, Interval Leisure Group and Martiz Websites. \n* UI Redressing via custom .html files\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n***Reflected XSS on Marriott.com via parameters in URL or DOM(especially via specially crafted html files)\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Program Rules\n*Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#What You Can Expect From Us\nWe take every submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community.  We will investigate every submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.  \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n| Type of Response | Estimated SLA in business days | \n|----------|--------------------|\n|  First Response | 2 days | \n| Time to Triage   | 5 days |\n| Time to  Bounty   | 10 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nResearchers will be kept informed about our progress throughout the process.\n\n# Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n•\tDownloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n\n•\tHacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n \n•\tEngaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n\n•\tMass creation of accounts to perform testing against Marriott applications and services;\n\n•\tConducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and \n\n•\tDisrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data.  \n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.  \n\n\n# Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n\n# Disclosure Policy\n* While this is a public program, Marriott does not allow for any form of public disclosure at this time. Please do not discuss or write about any vulnerabilities (even resolved ones) outside of the program without express consent from Marriott.\n* If you publicly disclose any vulnerability information without explicit permission from Marriott, any safe harbor terms will not apply.\n* The terms in this policy supersede any conflicting HackerOne rules, guidelines, and terms.\n\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-01T16:05:02.987Z"},{"id":3647975,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n0. Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* *Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Interval Leisure Group and Martiz Websites are not owned by MI. Please do not test them. \n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Scope Priorities\nThis is what we're most interested in:\n1. Vulnerable, auxiliary assets: vulnerable websites and applications that may be owned or affiliated with Marriott. Corporate related websites/cloud infrastructure/containers/etc that are run by vendors on our behalf. \n   - Examples: https://www.sparosseau.com/, Bonvoy Points promotion site\n2. Credentials, API keys, tokens, certificates or passwords in code repositories that could impact our corporate production or development environments\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-22T18:25:44.084Z"},{"id":3644690,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n0. Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* *Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Interval Leisure Group and Martiz Websites are not owned by MI. Please do not test them. \n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Scope Priorities\nThis is what we're most interested in:\n1. Vulnerable, auxiliary assets: vulnerable websites and applications that may be owned or affiliated with Marriott. Corporate related websites/cloud infrastructure/containers/etc that are run by vendors on our behalf. \n   - Examples: https://www.sparosseau.com/, Bonvoy Points promotion site\n2. Credentials, API keys, tokens, certificates or passwords in code repositories that could impact our corporate production or development environments\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-03T15:37:57.328Z"},{"id":3643575,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n0. Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* *Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Interval Leisure Group and Martiz Websites are not owned by MI. Please do not test them. \n* Any Low or Medium vulnerability\n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Scope Priorities\nThis is what we're most interested in:\n1. Vulnerable, auxiliary assets: vulnerable websites and applications that may be owned or affiliated with Marriott. Corporate related websites/cloud infrastructure/containers/etc that are run by vendors on our behalf. \n   - Examples: https://www.sparosseau.com/, Bonvoy Points promotion site\n2. Credentials, API keys, tokens, certificates or passwords in code repositories that could impact our corporate production or development environments\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-09T18:36:46.421Z"},{"id":3643537,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n0. Validate WHOIS registration data to make sure that technical abuse contacts is domain.administrator@marriott.com. This shows for sure that we control the domain. \n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* *Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Interval Leisure Group and Martiz Websites are not owned by MI. Please do not test them. \n* Any Low or Medium vulnerability\n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T23:16:39.389Z"},{"id":3643536,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n0. Validate WHOIS registration data to make sure that IP or domain is owned by CSC CORPORATE DOMAINS, INC. Any other registration domain may not be associated with marriott.com\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* *Marriott Vacations Worldwide, Marriott Vacations Clubs,  Vistana, Interval International, Interval Leisure Group and Martiz Websites are not owned by MI. Please do not test them. \n* Any Low or Medium vulnerability\n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T23:15:36.915Z"},{"id":3643513,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n0. Validate WHOIS registration data to make sure that IP or domain is owned by CSC CORPORATE DOMAINS, INC. Any other registration domain may not be associated with marriott.com\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* Marriott Vacations Worldwide and Martiz Websites are not owned by MI. \n* Any Low or Medium vulnerability\n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T14:40:23.506Z"},{"id":3641955,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* Any Low or Medium vulnerability\n* Custom UI and HTML Page Editing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-02T14:32:56.798Z"},{"id":3635128,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* Any Low or Medium vulnerability. \n* UI Redressing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only accept and triage the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-16T21:06:52.563Z"},{"id":3635127,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* Any Low or Medium vulnerability. \n* UI Redressing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-16T21:06:29.933Z"},{"id":3634922,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n*We are currently only accepting High and Critical severity bug reports*\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* Any Low or Medium vulnerability. \n* UI Redressing\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* XSS and CRLF that requires user interaction.\n* Attacks requiring MITM or physical access to a user's device.\n* Open Re-direct Issues without linking to other credential leakage or some other compromise.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-13T16:02:08.934Z"},{"id":3629696,"new_policy":"# Policy\nThe Marriott Group, which includes Marriott International, Inc., Starwood Hotels \u0026 Resorts Worldwide, LLC, and their affiliates (collectively, Marriott) takes cybersecurity seriously. Marriott has launched a vulnerability response program, using the HackerOne platform. The responsible disclosure of potential vulnerabilities by this community helps us to ensure the security and privacy of our customers and data.\n\nExcept as modified by these terms of Marriott’s vulnerability response program, the HackerOne [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) apply to your participation in Marriott’s vulnerability response program. By submitting a potential vulnerability report (Submission), you acknowledge that you have read and agreed to the terms of Marriott’s program (Program Terms). Marriott may revise the Program Terms or terminate the vulnerability response program at any time. Marriott’s vulnerability disclosure program intakes bugs discovered by members of the cyber security community. Researcher’s identities and vulnerability details are not disclosed.\n\n#Confidentiality\nUnless Marriott provides you with written consent to share information, all information regarding a Submission must be kept confidential and may not be shared in any way outside of the Marriott program, including discussions related to our program or any vulnerabilities (even if resolved).\n \n#Disclaimers/Prohibited Activities\nFor the avoidance of doubt, the following activities are expressly prohibited:\n\n* Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Marriott data or data belonging to Marriott’s business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party (other than your own) directly or indirectly affiliated with Marriott (collectively, Marriott Data);\n* Hacking, penetrating, or otherwise attempting to gain unauthorized access to Marriott applications, systems, or Marriott Data in violation of the Program Terms or applicable laws;\n* Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;\n* Mass creation of accounts to perform testing against Marriott applications and services;\n* Conducting physical attacks against any Marriott assets (e.g. any equipment within and Marriott facilities themselves, such as hotel locks, etc.); and\n* Disrupting or otherwise adversely affecting Marriott’s business, the operation of any Marriott applications or systems, or the use and protection of Marriott Data. **Scripts/scanners must not exceed 100 requests per second.**\n* Extortion of any kind by asking for money or threatening disclosure of information.\n\nMarriott reserves all rights and potential claims with respect to any such prohibited activities.\n\n\n#Submission Requirements\n1. A detailed summary of the vulnerability, including: type of issue; location; product; version; and configuration of any software, as appropriate;\n2. Step-by-step instructions necessary to reproduce the issue or vulnerability;\n3. Estimated severity and/or impact of the issue, if any;\n4. Suggested mitigation or remediation actions, if appropriate; and\n5. Any relevant attachments\n6. Report must not contain results from automated scanners\n\n#Out of Scope\n* Missing best practices in SSL/TLS configuration.\n* Clickjacking on pages with no sensitive actions.\n* Any activity that could lead to the disruption of our service (DoS).\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Reflected and DOM XSS (We are aware of these site-wide issues and are working to remedy them as soon as possible. These will be moved back into scope at a later time).\n* Reflected and DOM Based CSRF(We are aware of these site-wide issues and are working to remedy them as soon as possible. These will be moved back into scope at a later time).\n\n#In-Scope XSS \u0026 Improper Certificate Validation\n* XSS vulnerabilities that are combined with privilege escalation, credential stealing, session stealing, or file upload.\n* Improper wildcard certificates (ex: *.marriott.com) with proof-of-concept.\n\n# General Rules\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Absolutely no public disclosure of any information related to Marriott and its Vulnerability Disclosure Program.\n\n\n# What You Can Expect From Us\nWe take every Submission seriously and very much appreciate the efforts of security researchers, who regularly make valuable contributions to the security of companies like Marriott and the broader Internet community. We will investigate every Submission and strive to ensure that appropriate steps are taken to resolve reported vulnerabilities as quickly as possible.\n \nMarriott will use its best efforts to meet the following service level agreements (SLAs) for researchers participating in our program:\n\n• Time to first response (from report submit date) = 5 business days\n• Time to triage (from report submit date) = 10 business days\n• Resolution = Depends on complexity and severity\n\nResearchers will be kept informed about our progress throughout the process.\n\nThank you for helping to protect Marriott’s systems and customers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-03T17:22:40.195Z"}]