Hyatt launches bug bounty program

Nuix's latest Black Report offers insights straight from the mouths of hackers and penetration testers (Image xijian / iStockPhoto)
Ethical hackers can use HackerOne, as well as rival services such as Bugcrowd, to report vulnerabilities, security flaws, leaky servers and more. Photo credit: xijian/iStockPhoto

Hyatt Hotels has launched a bug bounty program via HackerOne, seeking to reward researchers who find vulnerabilities in its sites and apps. The new initiative is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”

The hotel company's chief information security officer, Benjamin Vaughn, said the aim of setting up the bug bounty program was to further Hyatt's goal of keeping guests safe.

“As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information,”  Vaughn said in a statement.

FREE HOTEL MANAGEMENT NEWSLETTER

Like this story? Subscribe to Technology!

Hospitality professionals turn to Technology as their go-to news source for the latest technology products and trends. Sign up today to get news and updates on security systems, in-room entertainment, and more delivered to your inbox and read on the go.

HackerOne develops bug bounty solutions to help organizations reduce the risk of a security incident by working with the world's largest community of ethical hackers. The ethical hackers can use the platform, as well as rival services such as Bugcrowd, to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft, reports ZDNet. 

The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.  

Hyatt has chosen to use the Common Vulnerability Scoring Standard to evaluate the severity of security flaws found. Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards that have already been issued. 

Back in 2015, 250 properties managed by Hyatt across a number of countries, including the U.S., UK, China, Germany, Japan, Italy, France, Russia and Canada, were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data such as cardholder names, card numbers, expiration dates and internal verification codes.

A second data breach, in which 41 locations were affected and unauthorized access to payment card information was detected, occurred in 2017.

Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the U.S. Department of Defense, GitHub and Qualcomm.

Suggested Articles

In its second day, the Hunter Hotel Investment Conference included discussions about the industry's financial future, employee culture and changes needed.

Queensgate Investments has completed the acquisition of four Grange properties that will now be operated by Fattal Hotel Group.

The Como Castello Del Nero is a repurposed 12th-century castle with 50 guestrooms, part of a historic estate in the Chianti wine region.