The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability.
Skyscanner has been running a private bug bounty program that according to the company allowed it to discover and address over 200 flaws in its systems. Now Skyscanner is opening the bug bounty program to the public.
“For the past few years,
“We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.”
The bug bounty program covers the official skyscanner.net website, regional domains, the gateway.skyscanner.net API, both the iOS and Android apps, and the partnerportal.skyscanner.net website.
The company will pay for vulnerabilities affecting the profile, booking and partner portal sections.
Participants to the bug bounty program cannot access or modify travelers’ data, without explicit prior permission of the owner.
“Only interact with your own accounts or provided test accounts for security research purposes.” continues the announcement.
Researchers risk a 10% penalty if their submission is valid, but the rules haven’t been followed, Skyscanner said.
Skyscanner will pay up rewards up to $1,500/$2,000 per vulnerability such as security misconfigurations, server-side injection issues, broken authentication issues, sensitive data exposure, and cryptography-related bugs.
“It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.” Skyscanner added. “In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority,”