No technology is perfect and Flybuys believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web and mobile applications. Good luck, and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Program Rules

• Please provide detailed reports containing all necessary steps to reproduce the issue
• Flybuys member/customer data is not to be accessed in any way
• If you believe you have found sensitive customer or Flybuys data (e.g., login credentials, API keys, etc.) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate that it works and do not perform post-exploitation
• You agree to securely delete any and all data obtained or collected
• You make every effort not to damage or restrict the availability of products, services or infrastructure
• Ordering a physical Flybuys card, redeeming points for rewards or processing payment using a payment gateway are out of scope
• Denial of Service, Rate Limiting, and other automated attacks are not allowed

Out-of-Scope

Flybuys use several third-party providers and services, some which may operate on subdomains of flybuys.com.au – all are considered out of Out-of-Scope for this program. We cannot authorise testing against third-party systems but encourage you to contact those third parties directly if you discover an issue in those services.

If you believe Flybuys has misconfigured or is insecurely using a third-party service and can mitigate the issue by making changes to a Flybuys system, please report the issue.

The following activities are prohibited, and out of scope:

• Performing denial-of-service, distributed denial-of-service (DoS and DDoS) or rate-limiting attacks
• Ordering a physical Flybuys card, redeeming points for rewards or processing payment using a payment gateway
• Using stolen or breached user credentials
• Use of automated scanning tools or scripts
• Any techniques which may impact the availability or usability of our services
• Accessing, modifying, deleting or storing Flybuys or customer data
• Conducting post-exploitation activities
• Non-technical attacks, such as social engineering, phishing and attacks against social media
• Third-party providers and vendors not operated by Flybuys
• Submission forms, contact forms or sending emails to Flybuys
• Configuration that is not directly exploitable ie. weak TLS ciphers, password policy, session expiration, certificate pinning, Security headers divulging software version information