Hyatt expands public bug bounty program

In the first year of the public program, 619 hackers from across the globe participated in Hyatt’s bug bounty program. Photo credit: Hyatt Hotels Corp.

Hyatt Hotels Corp. celebrated the first anniversary of its public bug bounty program, which it runs in collaboration with HackerOne.

Hyatt began its hacker-powered security journey with HackerOne in 2018 with a private program, inviting a handful of hackers to discover and disclose vulnerabilities for a monetary award or bounty. Before launching the public program, Hyatt had already paid out more than $5,000 in bounties to 14 hackers. The public program was launched in 2019.
In the first year of the public program, 619 hackers from across the globe, including India, United States, Egypt, Russia, Turkey, Pakistan, France, Canada and China, participated in the bug bounty and helped the security team discover and resolve bugs that may not have been uncovered by other security testing methods.
Through the public bug bounty program, hackers have been awarded more than $175,000 for disclosing valid vulnerabilities on,, and the iOS and Android Hyatt mobile apps that were safely resolved by Hyatt’s digital and technology teams. The top bounty awarded during this period was $6,000 for a critical vulnerability, while the average bounty amount was $881.
“Hyatt’s purpose of care informs all business decisions, and developing a best-in-class cyber security program in order to protect guest, colleague and customer information is one way we are delivering on our purpose,” Benjamin Vaughn, Hyatt's chief information security officer, said in a statement. “We believe there is immense value in having a bug bounty program as part of our cybersecurity strategy, and we encourage all companies, not just those in the hospitality industry, to take a similar approach and consider bug bounty as a proactive security initiative.”
On average, Hyatt’s digital and technology teams take less than 20 days to properly triage and resolve valid bug reports from hackers, well ahead of industry standards. Hyatt’s listening-based approach to business also extends into the hacker community, with the team continually asking for hacker feedback through surveys and promotions to engage the community.
“The collaboration with HackerOne has bolstered our cybersecurity posture and has become an integral part of our strategy,” said Robert Lowery, Hyatt's vulnerability management analyst and bug bounty program manager. “HackerOne’s process enables us to efficiently address vulnerability reports as they come in and HackerOne's hacker-powered retesting allows us to work more closely with the community so that remediation can be validated faster and more accurately.”
As the public bug bounty program moves into year two, Hyatt has widened the scope of the program as well as increased the bounty payments. This month, Hyatt expanded the program to include all internet-facing assets in its data centers and announced an increase in bounty payments, with critical severity bugs increasing 33 percent and high severity bugs increasing 50 percent.