Hyatt launches bug bounty program

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps. The new initiative is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”

The hotel company's chief information security officer, Benjamin Vaughn, said the aim of setting up the bug bounty program was to further Hyatt's goal of keeping guests safe.

“As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

HackerOne develops bug bounty solutions to help organizations reduce the risk of a security incident by working with the world's largest community of ethical hackers. The ethical hackers can use the platform, as well as rival services such as Bugcrowd, to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft, reports ZDNet. 

The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.  

Hyatt has chosen to use the Common Vulnerability Scoring Standard to evaluate the severity of security flaws found. Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards that have already been issued. 

Back in 2015, 250 properties managed by Hyatt across a number of countries, including the U.S., UK, China, Germany, Japan, Italy, France, Russia and Canada, were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data such as cardholder names, card numbers, expiration dates and internal verification codes.

A second data breach, in which 41 locations were affected and unauthorized access to payment card information was detected, occurred in 2017.

Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the U.S. Department of Defense, GitHub and Qualcomm.