Hyatt launches bug bounty program

Nuix's latest Black Report offers insights straight from the mouths of hackers and penetration testers (Image xijian / iStockPhoto)
Ethical hackers can use HackerOne, as well as rival services such as Bugcrowd, to report vulnerabilities, security flaws, leaky servers and more. Photo credit: xijian/iStockPhoto

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps. The new initiative is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”

The hotel company's chief information security officer, Benjamin Vaughn, said the aim of setting up the bug bounty program was to further Hyatt's goal of keeping guests safe.

“As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

Virtual Event

HOTEL OPTIMIZATION PART 2 | SEPTEMBER 10 & 24, 2020

Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.


HackerOne develops bug bounty solutions to help organizations reduce the risk of a security incident by working with the world's largest community of ethical hackers. The ethical hackers can use the platform, as well as rival services such as Bugcrowd, to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft, reports ZDNet. 

The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.  

Hyatt has chosen to use the Common Vulnerability Scoring Standard to evaluate the severity of security flaws found. Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards that have already been issued. 

Back in 2015, 250 properties managed by Hyatt across a number of countries, including the U.S., UK, China, Germany, Japan, Italy, France, Russia and Canada, were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data such as cardholder names, card numbers, expiration dates and internal verification codes.

A second data breach, in which 41 locations were affected and unauthorized access to payment card information was detected, occurred in 2017.

Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the U.S. Department of Defense, GitHub and Qualcomm.

Suggested Articles

Occupancy, rate and revenue all were down from August, but not by significant amounts.

Patrick Barrett, Younes Atallah and Reggie Dominique will lead hotels in New Orleans, Santa Monica and Los Angeles, respectively.

Radisson Individuals aims to bring independent hotels and local, regional chains into the global Radisson Hotel Group platform.